# MISP export of IDS rules - optimized for # # These NIDS rules contain some variables that need to exist in your configuration. # Make sure you have set: # # $HOME_NET - Your internal network range # $EXTERNAL_NET - The network considered as outside # $SMTP_SERVERS - All your internal SMTP servers # $HTTP_PORTS - The ports used to contain HTTP traffic (not required with suricata export) # alert ip $HOME_NET any -> 84.11.146.62 any (msg: "MISP e1 [tlp:white] Outgoing To IP: 84.11.146.62"; classtype:trojan-activity; sid:4000021; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/1;) alert ip $HOME_NET any -> 107.6.172.54 any (msg: "MISP e1 [tlp:white] Outgoing To IP: 107.6.172.54"; classtype:trojan-activity; sid:4000031; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/1;) alert ip $HOME_NET any -> 107.6.181.116 any (msg: "MISP e1 [tlp:white] Outgoing To IP: 107.6.181.116"; classtype:trojan-activity; sid:4000041; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/1;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e1 [tlp:white] Outgoing URL http|3a|//gulfc.haifa.ac.il/index.php/the-ezri-center-in-the-media/291-the-ezri-center-in-the-media"; flow:to_server,established; http.header; content:"gulfc.haifa.ac.il"; fast_pattern; nocase; http.uri; content:"/index.php/the-ezri-center-in-the-media/291-the-ezri-center-in-the-media"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4000111; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/1;) alert dns any any -> any any (msg: "MISP e1 [tlp:white] Domain gulfc.haifa.ac.il"; dns.query; content:"gulfc.haifa.ac.il"; nocase; pcre: "/(^|[^A-Za-z0-9-])gulfc\.haifa\.ac\.il$/i"; classtype:trojan-activity; sid:4000121; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e1 [tlp:white] Outgoing HTTP Domain gulfc.haifa.ac.il"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gulfc.haifa.ac.il"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gulfc\.haifa\.ac\.il[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4000122; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/1;) alert dns any any -> any any (msg: "MISP e1 [tlp:white] Domain www.iabg.de"; dns.query; content:"www.iabg.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.iabg\.de$/i"; classtype:trojan-activity; sid:4000151; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e1 [tlp:white] Outgoing HTTP Domain www.iabg.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"www.iabg.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.iabg\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4000152; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/1;) alert dns any any -> any any (msg: "MISP e2 [tlp:white] Domain alkavkaz.com"; dns.query; content:"alkavkaz.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])alkavkaz\.com$/i"; classtype:trojan-activity; sid:4000191; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e2 [tlp:white] Outgoing HTTP Domain alkavkaz.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"alkavkaz.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])alkavkaz\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4000192; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert dns any any -> any any (msg: "MISP e2 [tlp:white] Domain cihaderi.net"; dns.query; content:"cihaderi.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])cihaderi\.net$/i"; classtype:trojan-activity; sid:4000201; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e2 [tlp:white] Outgoing HTTP Domain cihaderi.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cihaderi.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cihaderi\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4000202; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert ip $HOME_NET any -> 128.199.138.233 any (msg: "MISP e2 [tlp:white] Outgoing To IP: 128.199.138.233"; classtype:trojan-activity; sid:4003261; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert ip $HOME_NET any -> 151.236.23.31 any (msg: "MISP e2 [tlp:white] Outgoing To IP: 151.236.23.31"; classtype:trojan-activity; sid:4003271; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert ip $HOME_NET any -> 173.236.70.212 any (msg: "MISP e2 [tlp:white] Outgoing To IP: 173.236.70.212"; classtype:trojan-activity; sid:4003281; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert ip $HOME_NET any -> 176.74.216.14 any (msg: "MISP e2 [tlp:white] Outgoing To IP: 176.74.216.14"; classtype:trojan-activity; sid:4003291; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert ip $HOME_NET any -> 178.21.172.157 any (msg: "MISP e2 [tlp:white] Outgoing To IP: 178.21.172.157"; classtype:trojan-activity; sid:4003301; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert ip $HOME_NET any -> 178.63.149.142 any (msg: "MISP e2 [tlp:white] Outgoing To IP: 178.63.149.142"; classtype:trojan-activity; sid:4003311; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert ip $HOME_NET any -> 184.154.184.83 any (msg: "MISP e2 [tlp:white] Outgoing To IP: 184.154.184.83"; classtype:trojan-activity; sid:4003321; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert ip $HOME_NET any -> 188.116.32.164 any (msg: "MISP e2 [tlp:white] Outgoing To IP: 188.116.32.164"; classtype:trojan-activity; sid:4003331; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert ip $HOME_NET any -> 188.241.115.41 any (msg: "MISP e2 [tlp:white] Outgoing To IP: 188.241.115.41"; classtype:trojan-activity; sid:4003341; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert ip $HOME_NET any -> 188.40.13.99 any (msg: "MISP e2 [tlp:white] Outgoing To IP: 188.40.13.99"; classtype:trojan-activity; sid:4003351; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert ip $HOME_NET any -> 195.43.94.104 any (msg: "MISP e2 [tlp:white] Outgoing To IP: 195.43.94.104"; classtype:trojan-activity; sid:4003361; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert ip $HOME_NET any -> 199.231.188.109 any (msg: "MISP e2 [tlp:white] Outgoing To IP: 199.231.188.109"; classtype:trojan-activity; sid:4003371; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert ip $HOME_NET any -> 212.76.128.149 any (msg: "MISP e2 [tlp:white] Outgoing To IP: 212.76.128.149"; classtype:trojan-activity; sid:4003381; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert ip $HOME_NET any -> 46.246.120.178 any (msg: "MISP e2 [tlp:white] Outgoing To IP: 46.246.120.178"; classtype:trojan-activity; sid:4003391; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert ip $HOME_NET any -> 5.45.66.134 any (msg: "MISP e2 [tlp:white] Outgoing To IP: 5.45.66.134"; classtype:trojan-activity; sid:4003401; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert ip $HOME_NET any -> 50.7.192.146 any (msg: "MISP e2 [tlp:white] Outgoing To IP: 50.7.192.146"; classtype:trojan-activity; sid:4003411; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert ip $HOME_NET any -> 64.18.143.66 any (msg: "MISP e2 [tlp:white] Outgoing To IP: 64.18.143.66"; classtype:trojan-activity; sid:4003421; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert ip $HOME_NET any -> 66.29.115.55 any (msg: "MISP e2 [tlp:white] Outgoing To IP: 66.29.115.55"; classtype:trojan-activity; sid:4003431; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert ip $HOME_NET any -> 69.59.28.57 any (msg: "MISP e2 [tlp:white] Outgoing To IP: 69.59.28.57"; classtype:trojan-activity; sid:4003441; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert ip $HOME_NET any -> 82.146.47.163 any (msg: "MISP e2 [tlp:white] Outgoing To IP: 82.146.47.163"; classtype:trojan-activity; sid:4003451; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert ip $HOME_NET any -> 82.146.51.22 any (msg: "MISP e2 [tlp:white] Outgoing To IP: 82.146.51.22"; classtype:trojan-activity; sid:4003461; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert ip $HOME_NET any -> 83.149.74.73 any (msg: "MISP e2 [tlp:white] Outgoing To IP: 83.149.74.73"; classtype:trojan-activity; sid:4003471; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert ip $HOME_NET any -> 85.17.143.149 any (msg: "MISP e2 [tlp:white] Outgoing To IP: 85.17.143.149"; classtype:trojan-activity; sid:4003481; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert ip $HOME_NET any -> 87.118.106.55 any (msg: "MISP e2 [tlp:white] Outgoing To IP: 87.118.106.55"; classtype:trojan-activity; sid:4003491; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert ip $HOME_NET any -> 87.255.77.36 any (msg: "MISP e2 [tlp:white] Outgoing To IP: 87.255.77.36"; classtype:trojan-activity; sid:4003501; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert ip $HOME_NET any -> 88.150.208.207 any (msg: "MISP e2 [tlp:white] Outgoing To IP: 88.150.208.207"; classtype:trojan-activity; sid:4003511; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert ip $HOME_NET any -> 91.221.66.242 any (msg: "MISP e2 [tlp:white] Outgoing To IP: 91.221.66.242"; classtype:trojan-activity; sid:4003521; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert ip $HOME_NET any -> 91.224.141.235 any (msg: "MISP e2 [tlp:white] Outgoing To IP: 91.224.141.235"; classtype:trojan-activity; sid:4003531; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert ip $HOME_NET any -> 94.242.199.88 any (msg: "MISP e2 [tlp:white] Outgoing To IP: 94.242.199.88"; classtype:trojan-activity; sid:4003541; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert ip $HOME_NET any -> 96.9.182.37 any (msg: "MISP e2 [tlp:white] Outgoing To IP: 96.9.182.37"; classtype:trojan-activity; sid:4003551; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert dns any any -> any any (msg: "MISP e2 [tlp:white] Domain airtravelabroad.com"; dns.query; content:"airtravelabroad.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])airtravelabroad\.com$/i"; classtype:trojan-activity; sid:4003561; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e2 [tlp:white] Outgoing HTTP Domain airtravelabroad.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"airtravelabroad.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])airtravelabroad\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4003562; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert dns any any -> any any (msg: "MISP e2 [tlp:white] Domain beijingnewsblog.net"; dns.query; content:"beijingnewsblog.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])beijingnewsblog\.net$/i"; classtype:trojan-activity; sid:4003571; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e2 [tlp:white] Outgoing HTTP Domain beijingnewsblog.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"beijingnewsblog.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])beijingnewsblog\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4003572; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert dns any any -> any any (msg: "MISP e2 [tlp:white] Domain deervalleyassociation.com"; dns.query; content:"deervalleyassociation.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])deervalleyassociation\.com$/i"; classtype:trojan-activity; sid:4003581; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e2 [tlp:white] Outgoing HTTP Domain deervalleyassociation.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"deervalleyassociation.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])deervalleyassociation\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4003582; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert dns any any -> any any (msg: "MISP e2 [tlp:white] Domain greencastleadvantage.com"; dns.query; content:"greencastleadvantage.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])greencastleadvantage\.com$/i"; classtype:trojan-activity; sid:4003591; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e2 [tlp:white] Outgoing HTTP Domain greencastleadvantage.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"greencastleadvantage.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])greencastleadvantage\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4003592; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert dns any any -> any any (msg: "MISP e2 [tlp:white] Domain grouptumbler.com"; dns.query; content:"grouptumbler.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])grouptumbler\.com$/i"; classtype:trojan-activity; sid:4003601; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e2 [tlp:white] Outgoing HTTP Domain grouptumbler.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"grouptumbler.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])grouptumbler\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4003602; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert dns any any -> any any (msg: "MISP e2 [tlp:white] Domain juliet.usexy.cc"; dns.query; content:"juliet.usexy.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-])juliet\.usexy\.cc$/i"; classtype:trojan-activity; sid:4003611; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e2 [tlp:white] Outgoing HTTP Domain juliet.usexy.cc"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"juliet.usexy.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])juliet\.usexy\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4003612; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert dns any any -> any any (msg: "MISP e2 [tlp:white] Domain leveldelta.com"; dns.query; content:"leveldelta.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])leveldelta\.com$/i"; classtype:trojan-activity; sid:4003621; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e2 [tlp:white] Outgoing HTTP Domain leveldelta.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"leveldelta.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])leveldelta\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4003622; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert dns any any -> any any (msg: "MISP e2 [tlp:white] Domain nasdaqblog.net"; dns.query; content:"nasdaqblog.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])nasdaqblog\.net$/i"; classtype:trojan-activity; sid:4003631; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e2 [tlp:white] Outgoing HTTP Domain nasdaqblog.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nasdaqblog.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nasdaqblog\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4003632; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert dns any any -> any any (msg: "MISP e2 [tlp:white] Domain nestedmail.com"; dns.query; content:"nestedmail.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])nestedmail\.com$/i"; classtype:trojan-activity; sid:4003641; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e2 [tlp:white] Outgoing HTTP Domain nestedmail.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nestedmail.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nestedmail\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4003642; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert dns any any -> any any (msg: "MISP e2 [tlp:white] Domain nostressjob.com"; dns.query; content:"nostressjob.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])nostressjob\.com$/i"; classtype:trojan-activity; sid:4003651; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e2 [tlp:white] Outgoing HTTP Domain nostressjob.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nostressjob.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nostressjob\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4003652; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert dns any any -> any any (msg: "MISP e2 [tlp:white] Domain nytunion.com"; dns.query; content:"nytunion.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])nytunion\.com$/i"; classtype:trojan-activity; sid:4003661; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e2 [tlp:white] Outgoing HTTP Domain nytunion.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nytunion.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nytunion\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4003662; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert dns any any -> any any (msg: "MISP e2 [tlp:white] Domain oilnewsblog.com"; dns.query; content:"oilnewsblog.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])oilnewsblog\.com$/i"; classtype:trojan-activity; sid:4003671; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e2 [tlp:white] Outgoing HTTP Domain oilnewsblog.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"oilnewsblog.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])oilnewsblog\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4003672; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert dns any any -> any any (msg: "MISP e2 [tlp:white] Domain overpict.com"; dns.query; content:"overpict.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])overpict\.com$/i"; classtype:trojan-activity; sid:4003681; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e2 [tlp:white] Outgoing HTTP Domain overpict.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"overpict.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])overpict\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4003682; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert dns any any -> any any (msg: "MISP e2 [tlp:white] Domain serials.hacked.jp"; dns.query; content:"serials.hacked.jp"; nocase; pcre: "/(^|[^A-Za-z0-9-])serials\.hacked\.jp$/i"; classtype:trojan-activity; sid:4003691; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e2 [tlp:white] Outgoing HTTP Domain serials.hacked.jp"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"serials.hacked.jp"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])serials\.hacked\.jp[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4003692; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert dns any any -> any any (msg: "MISP e2 [tlp:white] Domain sixsquare.net"; dns.query; content:"sixsquare.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])sixsquare\.net$/i"; classtype:trojan-activity; sid:4003701; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e2 [tlp:white] Outgoing HTTP Domain sixsquare.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sixsquare.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sixsquare\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4003702; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert dns any any -> any any (msg: "MISP e2 [tlp:white] Domain store.extremesportsevents.net"; dns.query; content:"store.extremesportsevents.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])store\.extremesportsevents\.net$/i"; classtype:trojan-activity; sid:4003711; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e2 [tlp:white] Outgoing HTTP Domain store.extremesportsevents.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"store.extremesportsevents.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])store\.extremesportsevents\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4003712; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert dns any any -> any any (msg: "MISP e2 [tlp:white] Domain ustradecomp.com"; dns.query; content:"ustradecomp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ustradecomp\.com$/i"; classtype:trojan-activity; sid:4003721; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e2 [tlp:white] Outgoing HTTP Domain ustradecomp.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ustradecomp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ustradecomp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4003722; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/2;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e3 [tlp:white] Outgoing URL http|3a|//www.pinlady.net/PluginDetect"; flow:to_server,established; http.header; content:"www.pinlady.net"; fast_pattern; nocase; http.uri; content:"/PluginDetect"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4003731; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/3;) alert dns any any -> any any (msg: "MISP e3 [tlp:white] Domain www.pinlady.net"; dns.query; content:"www.pinlady.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.pinlady\.net$/i"; classtype:trojan-activity; sid:4003741; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/3;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e3 [tlp:white] Outgoing HTTP Domain www.pinlady.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"www.pinlady.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.pinlady\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4003742; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/3;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e3 [tlp:white] Outgoing URL http|3a|//flashcritic.com/state-report-reveal-130-websites-used-travel"; flow:to_server,established; http.header; content:"flashcritic.com"; fast_pattern; nocase; http.uri; content:"/state-report-reveal-130-websites-used-travel"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4003781; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/3;) alert dns any any -> any any (msg: "MISP e3 [tlp:white] Domain flashcritic.com"; dns.query; content:"flashcritic.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])flashcritic\.com$/i"; classtype:trojan-activity; sid:4003791; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/3;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e3 [tlp:white] Outgoing HTTP Domain flashcritic.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"flashcritic.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])flashcritic\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4003792; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/3;) alert dns any any -> any any (msg: "MISP e11 [tlp:white] Domain bkmail.blogdns.com"; dns.query; content:"bkmail.blogdns.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bkmail\.blogdns\.com$/i"; classtype:trojan-activity; sid:4006231; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e11 [tlp:white] Outgoing HTTP Domain bkmail.blogdns.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bkmail.blogdns.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bkmail\.blogdns\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4006232; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/11;) alert dns any any -> any any (msg: "MISP e11 [tlp:white] Domain debain.servehttp.com"; dns.query; content:"debain.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])debain\.servehttp\.com$/i"; classtype:trojan-activity; sid:4006241; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e11 [tlp:white] Outgoing HTTP Domain debain.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"debain.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])debain\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4006242; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/11;) alert dns any any -> any any (msg: "MISP e11 [tlp:white] Domain linuxdns.sytes.net"; dns.query; content:"linuxdns.sytes.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])linuxdns\.sytes\.net$/i"; classtype:trojan-activity; sid:4006251; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e11 [tlp:white] Outgoing HTTP Domain linuxdns.sytes.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"linuxdns.sytes.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])linuxdns\.sytes\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4006252; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/11;) alert dns any any -> any any (msg: "MISP e11 [tlp:white] Domain news.nhknews.hk"; dns.query; content:"news.nhknews.hk"; nocase; pcre: "/(^|[^A-Za-z0-9-])news\.nhknews\.hk$/i"; classtype:trojan-activity; sid:4006261; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e11 [tlp:white] Outgoing HTTP Domain news.nhknews.hk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"news.nhknews.hk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])news\.nhknews\.hk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4006262; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/11;) alert dns any any -> any any (msg: "MISP e11 [tlp:white] Domain sswmail.gotdns.com"; dns.query; content:"sswmail.gotdns.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sswmail\.gotdns\.com$/i"; classtype:trojan-activity; sid:4006271; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e11 [tlp:white] Outgoing HTTP Domain sswmail.gotdns.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sswmail.gotdns.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sswmail\.gotdns\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4006272; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/11;) alert dns any any -> any any (msg: "MISP e11 [tlp:white] Domain sswwmail.gotdns.com"; dns.query; content:"sswwmail.gotdns.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sswwmail\.gotdns\.com$/i"; classtype:trojan-activity; sid:4006281; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e11 [tlp:white] Outgoing HTTP Domain sswwmail.gotdns.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sswwmail.gotdns.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sswwmail\.gotdns\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4006282; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/11;) alert dns any any -> any any (msg: "MISP e11 [tlp:white] Domain sysnc.sytes.net"; dns.query; content:"sysnc.sytes.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])sysnc\.sytes\.net$/i"; classtype:trojan-activity; sid:4006311; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e11 [tlp:white] Outgoing HTTP Domain sysnc.sytes.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sysnc.sytes.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sysnc\.sytes\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4006312; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/11;) alert dns any any -> any any (msg: "MISP e11 [tlp:white] Domain systeminfothai.gotdns.ch"; dns.query; content:"systeminfothai.gotdns.ch"; nocase; pcre: "/(^|[^A-Za-z0-9-])systeminfothai\.gotdns\.ch$/i"; classtype:trojan-activity; sid:4006321; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e11 [tlp:white] Outgoing HTTP Domain systeminfothai.gotdns.ch"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"systeminfothai.gotdns.ch"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])systeminfothai\.gotdns\.ch[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4006322; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/11;) alert dns any any -> any any (msg: "MISP e11 [tlp:white] Domain thailandbbs.ddns.net"; dns.query; content:"thailandbbs.ddns.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])thailandbbs\.ddns\.net$/i"; classtype:trojan-activity; sid:4006331; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e11 [tlp:white] Outgoing HTTP Domain thailandbbs.ddns.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"thailandbbs.ddns.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])thailandbbs\.ddns\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4006332; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/11;) alert dns any any -> any any (msg: "MISP e11 [tlp:white] Domain ubuntudns.sytes.net"; dns.query; content:"ubuntudns.sytes.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])ubuntudns\.sytes\.net$/i"; classtype:trojan-activity; sid:4006341; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e11 [tlp:white] Outgoing HTTP Domain ubuntudns.sytes.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ubuntudns.sytes.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ubuntudns\.sytes\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4006342; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/11;) alert dns any any -> any any (msg: "MISP e11 [tlp:white] Domain web12.nhknews.hk"; dns.query; content:"web12.nhknews.hk"; nocase; pcre: "/(^|[^A-Za-z0-9-])web12\.nhknews\.hk$/i"; classtype:trojan-activity; sid:4006351; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e11 [tlp:white] Outgoing HTTP Domain web12.nhknews.hk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"web12.nhknews.hk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])web12\.nhknews\.hk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4006352; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/11;) alert ip $HOME_NET any -> 193.239.152.131 any (msg: "MISP e9 [tlp:white] Outgoing To IP: 193.239.152.131"; classtype:trojan-activity; sid:4005161; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/9;) alert ip $HOME_NET any -> 62.210.83.213 any (msg: "MISP e9 [tlp:white] Outgoing To IP: 62.210.83.213"; classtype:trojan-activity; sid:4005171; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/9;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain society.go.th"; dns.query; content:"society.go.th"; nocase; pcre: "/(^|[^A-Za-z0-9-])society\.go\.th$/i"; classtype:trojan-activity; sid:4005271; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain society.go.th"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"society.go.th"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])society\.go\.th[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005272; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert ip $HOME_NET any -> 119.205.158.70 any (msg: "MISP e10 [tlp:white] Outgoing To IP: 119.205.158.70"; classtype:trojan-activity; sid:4005281; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain sswmail.gotdns.com"; dns.query; content:"sswmail.gotdns.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sswmail\.gotdns\.com$/i"; classtype:trojan-activity; sid:4005291; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain sswmail.gotdns.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sswmail.gotdns.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sswmail\.gotdns\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005292; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain qemail.gotdns.com"; dns.query; content:"qemail.gotdns.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])qemail\.gotdns\.com$/i"; classtype:trojan-activity; sid:4005301; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain qemail.gotdns.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"qemail.gotdns.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])qemail\.gotdns\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005302; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain ubuntudns.sytes.net"; dns.query; content:"ubuntudns.sytes.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])ubuntudns\.sytes\.net$/i"; classtype:trojan-activity; sid:4005311; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain ubuntudns.sytes.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ubuntudns.sytes.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ubuntudns\.sytes\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005312; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain web12.nhknews.hk"; dns.query; content:"web12.nhknews.hk"; nocase; pcre: "/(^|[^A-Za-z0-9-])web12\.nhknews\.hk$/i"; classtype:trojan-activity; sid:4005321; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain web12.nhknews.hk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"web12.nhknews.hk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])web12\.nhknews\.hk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005322; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain systeminfothai.gotdns.ch"; dns.query; content:"systeminfothai.gotdns.ch"; nocase; pcre: "/(^|[^A-Za-z0-9-])systeminfothai\.gotdns\.ch$/i"; classtype:trojan-activity; sid:4005331; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain systeminfothai.gotdns.ch"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"systeminfothai.gotdns.ch"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])systeminfothai\.gotdns\.ch[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005332; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain bkmail.blogdns.com"; dns.query; content:"bkmail.blogdns.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bkmail\.blogdns\.com$/i"; classtype:trojan-activity; sid:4005341; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain bkmail.blogdns.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bkmail.blogdns.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bkmail\.blogdns\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005342; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain thailandbbs.ddns.net"; dns.query; content:"thailandbbs.ddns.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])thailandbbs\.ddns\.net$/i"; classtype:trojan-activity; sid:4005351; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain thailandbbs.ddns.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"thailandbbs.ddns.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])thailandbbs\.ddns\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005352; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain blog.nhknews.hk"; dns.query; content:"blog.nhknews.hk"; nocase; pcre: "/(^|[^A-Za-z0-9-])blog\.nhknews\.hk$/i"; classtype:trojan-activity; sid:4005361; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain blog.nhknews.hk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"blog.nhknews.hk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])blog\.nhknews\.hk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005362; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain news.nhknews.hk"; dns.query; content:"news.nhknews.hk"; nocase; pcre: "/(^|[^A-Za-z0-9-])news\.nhknews\.hk$/i"; classtype:trojan-activity; sid:4005371; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain news.nhknews.hk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"news.nhknews.hk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])news\.nhknews\.hk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005372; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain sysnc.sytes.net"; dns.query; content:"sysnc.sytes.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])sysnc\.sytes\.net$/i"; classtype:trojan-activity; sid:4005381; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain sysnc.sytes.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sysnc.sytes.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sysnc\.sytes\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005382; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain debain.servehttp.com"; dns.query; content:"debain.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])debain\.servehttp\.com$/i"; classtype:trojan-activity; sid:4005391; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain debain.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"debain.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])debain\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005392; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain sswwmail.gotdns.com"; dns.query; content:"sswwmail.gotdns.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sswwmail\.gotdns\.com$/i"; classtype:trojan-activity; sid:4005401; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain sswwmail.gotdns.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sswwmail.gotdns.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sswwmail\.gotdns\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005402; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain linuxdns.sytes.net"; dns.query; content:"linuxdns.sytes.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])linuxdns\.sytes\.net$/i"; classtype:trojan-activity; sid:4005421; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain linuxdns.sytes.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"linuxdns.sytes.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])linuxdns\.sytes\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005422; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain www.chinabztech.com"; dns.query; content:"www.chinabztech.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.chinabztech\.com$/i"; classtype:trojan-activity; sid:4005431; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain www.chinabztech.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"www.chinabztech.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.chinabztech\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005432; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain www.tibetonline.info"; dns.query; content:"www.tibetonline.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.tibetonline\.info$/i"; classtype:trojan-activity; sid:4005441; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain www.tibetonline.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"www.tibetonline.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.tibetonline\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005442; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain 3h01.dwy.cc"; dns.query; content:"3h01.dwy.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-])3h01\.dwy\.cc$/i"; classtype:trojan-activity; sid:4005451; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain 3h01.dwy.cc"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"3h01.dwy.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])3h01\.dwy\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005452; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain www.vxea.com"; dns.query; content:"www.vxea.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.vxea\.com$/i"; classtype:trojan-activity; sid:4005461; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain www.vxea.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"www.vxea.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.vxea\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005462; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain dwy.cc"; dns.query; content:"dwy.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-])dwy\.cc$/i"; classtype:trojan-activity; sid:4005471; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain dwy.cc"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dwy.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dwy\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005472; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain nine.alltosec.com"; dns.query; content:"nine.alltosec.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])nine\.alltosec\.com$/i"; classtype:trojan-activity; sid:4005481; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain nine.alltosec.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nine.alltosec.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nine\.alltosec\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005482; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain www.rooter.tk"; dns.query; content:"www.rooter.tk"; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.rooter\.tk$/i"; classtype:trojan-activity; sid:4005491; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain www.rooter.tk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"www.rooter.tk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.rooter\.tk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005492; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain wucy08.eicp.net"; dns.query; content:"wucy08.eicp.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])wucy08\.eicp\.net$/i"; classtype:trojan-activity; sid:4005501; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain wucy08.eicp.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wucy08.eicp.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wucy08\.eicp\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005502; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain welcome.dnsd.info"; dns.query; content:"welcome.dnsd.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])welcome\.dnsd\.info$/i"; classtype:trojan-activity; sid:4005511; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain welcome.dnsd.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"welcome.dnsd.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])welcome\.dnsd\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005512; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain www.ifilmone.com"; dns.query; content:"www.ifilmone.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.ifilmone\.com$/i"; classtype:trojan-activity; sid:4005521; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain www.ifilmone.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"www.ifilmone.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.ifilmone\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005522; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain pcal2.dwy.cc"; dns.query; content:"pcal2.dwy.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-])pcal2\.dwy\.cc$/i"; classtype:trojan-activity; sid:4005531; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain pcal2.dwy.cc"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pcal2.dwy.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pcal2\.dwy\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005532; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain luotuozhizhu.blog.163.com"; dns.query; content:"luotuozhizhu.blog.163.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])luotuozhizhu\.blog\.163\.com$/i"; classtype:trojan-activity; sid:4005541; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain luotuozhizhu.blog.163.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"luotuozhizhu.blog.163.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])luotuozhizhu\.blog\.163\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005542; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain office.alltosec.com"; dns.query; content:"office.alltosec.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])office\.alltosec\.com$/i"; classtype:trojan-activity; sid:4005551; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain office.alltosec.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"office.alltosec.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])office\.alltosec\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005552; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain ftpseck.ftp21.net"; dns.query; content:"ftpseck.ftp21.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])ftpseck\.ftp21\.net$/i"; classtype:trojan-activity; sid:4005561; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain ftpseck.ftp21.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ftpseck.ftp21.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ftpseck\.ftp21\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005562; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain wuzhiting.3322.org"; dns.query; content:"wuzhiting.3322.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])wuzhiting\.3322\.org$/i"; classtype:trojan-activity; sid:4005571; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain wuzhiting.3322.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wuzhiting.3322.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wuzhiting\.3322\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005572; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain googleupdating.com"; dns.query; content:"googleupdating.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])googleupdating\.com$/i"; classtype:trojan-activity; sid:4005581; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain googleupdating.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"googleupdating.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])googleupdating\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005582; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain zz.alltosec.com"; dns.query; content:"zz.alltosec.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])zz\.alltosec\.com$/i"; classtype:trojan-activity; sid:4005591; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain zz.alltosec.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"zz.alltosec.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])zz\.alltosec\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005592; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain back.rooter.tk"; dns.query; content:"back.rooter.tk"; nocase; pcre: "/(^|[^A-Za-z0-9-])back\.rooter\.tk$/i"; classtype:trojan-activity; sid:4005601; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain back.rooter.tk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"back.rooter.tk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])back\.rooter\.tk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005602; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain products.alltosec.com"; dns.query; content:"products.alltosec.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])products\.alltosec\.com$/i"; classtype:trojan-activity; sid:4005611; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain products.alltosec.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"products.alltosec.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])products\.alltosec\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005612; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain windowsupdating.net"; dns.query; content:"windowsupdating.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])windowsupdating\.net$/i"; classtype:trojan-activity; sid:4005621; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain windowsupdating.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"windowsupdating.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])windowsupdating\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005622; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain app.rooter.tk"; dns.query; content:"app.rooter.tk"; nocase; pcre: "/(^|[^A-Za-z0-9-])app\.rooter\.tk$/i"; classtype:trojan-activity; sid:4005631; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain app.rooter.tk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"app.rooter.tk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])app\.rooter\.tk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005632; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain hkemail.f3322.org"; dns.query; content:"hkemail.f3322.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])hkemail\.f3322\.org$/i"; classtype:trojan-activity; sid:4005641; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain hkemail.f3322.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hkemail.f3322.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hkemail\.f3322\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005642; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain pcal2.yahoolive.us"; dns.query; content:"pcal2.yahoolive.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])pcal2\.yahoolive\.us$/i"; classtype:trojan-activity; sid:4005651; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain pcal2.yahoolive.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pcal2.yahoolive.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pcal2\.yahoolive\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005652; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain happy.tftpd.net"; dns.query; content:"happy.tftpd.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])happy\.tftpd\.net$/i"; classtype:trojan-activity; sid:4005661; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain happy.tftpd.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"happy.tftpd.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])happy\.tftpd\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005662; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain weather.webhop.me"; dns.query; content:"weather.webhop.me"; nocase; pcre: "/(^|[^A-Za-z0-9-])weather\.webhop\.me$/i"; classtype:trojan-activity; sid:4005671; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain weather.webhop.me"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"weather.webhop.me"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])weather\.webhop\.me[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005672; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain ns1.vancouversun.us"; dns.query; content:"ns1.vancouversun.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])ns1\.vancouversun\.us$/i"; classtype:trojan-activity; sid:4005681; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain ns1.vancouversun.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ns1.vancouversun.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ns1\.vancouversun\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005682; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain n5579a.voanews.hk"; dns.query; content:"n5579a.voanews.hk"; nocase; pcre: "/(^|[^A-Za-z0-9-])n5579a\.voanews\.hk$/i"; classtype:trojan-activity; sid:4005691; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain n5579a.voanews.hk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"n5579a.voanews.hk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])n5579a\.voanews\.hk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005692; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain hope.jumpingcrab.com"; dns.query; content:"hope.jumpingcrab.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])hope\.jumpingcrab\.com$/i"; classtype:trojan-activity; sid:4005701; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain hope.jumpingcrab.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hope.jumpingcrab.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hope\.jumpingcrab\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005702; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain news.nowpublic.us"; dns.query; content:"news.nowpublic.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])news\.nowpublic\.us$/i"; classtype:trojan-activity; sid:4005711; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain news.nowpublic.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"news.nowpublic.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])news\.nowpublic\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005712; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain web.vancouversun.us"; dns.query; content:"web.vancouversun.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])web\.vancouversun\.us$/i"; classtype:trojan-activity; sid:4005721; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain web.vancouversun.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"web.vancouversun.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])web\.vancouversun\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005722; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain news.voanews.hk"; dns.query; content:"news.voanews.hk"; nocase; pcre: "/(^|[^A-Za-z0-9-])news\.voanews\.hk$/i"; classtype:trojan-activity; sid:4005731; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain news.voanews.hk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"news.voanews.hk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])news\.voanews\.hk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005732; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain web.voanews.hk"; dns.query; content:"web.voanews.hk"; nocase; pcre: "/(^|[^A-Za-z0-9-])web\.voanews\.hk$/i"; classtype:trojan-activity; sid:4005751; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain web.voanews.hk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"web.voanews.hk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])web\.voanews\.hk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005752; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain ns3.yomiuri.us"; dns.query; content:"ns3.yomiuri.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])ns3\.yomiuri\.us$/i"; classtype:trojan-activity; sid:4005761; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain ns3.yomiuri.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ns3.yomiuri.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ns3\.yomiuri\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005762; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain tree.crabdance.com"; dns.query; content:"tree.crabdance.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])tree\.crabdance\.com$/i"; classtype:trojan-activity; sid:4005771; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain tree.crabdance.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tree.crabdance.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tree\.crabdance\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005772; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain supercat.strangled.net"; dns.query; content:"supercat.strangled.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])supercat\.strangled\.net$/i"; classtype:trojan-activity; sid:4005781; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain supercat.strangled.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"supercat.strangled.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])supercat\.strangled\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005782; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain webupdate.strangled.net"; dns.query; content:"webupdate.strangled.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])webupdate\.strangled\.net$/i"; classtype:trojan-activity; sid:4005791; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain webupdate.strangled.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"webupdate.strangled.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])webupdate\.strangled\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005792; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain breaknews.mefound.com"; dns.query; content:"breaknews.mefound.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])breaknews\.mefound\.com$/i"; classtype:trojan-activity; sid:4005801; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain breaknews.mefound.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"breaknews.mefound.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])breaknews\.mefound\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005802; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain succ.gotdns.com"; dns.query; content:"succ.gotdns.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])succ\.gotdns\.com$/i"; classtype:trojan-activity; sid:4005811; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain succ.gotdns.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"succ.gotdns.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])succ\.gotdns\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005812; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain imail.gotdns.com"; dns.query; content:"imail.gotdns.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])imail\.gotdns\.com$/i"; classtype:trojan-activity; sid:4005821; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain imail.gotdns.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"imail.gotdns.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])imail\.gotdns\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005822; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain wmail.gotdns.com"; dns.query; content:"wmail.gotdns.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])wmail\.gotdns\.com$/i"; classtype:trojan-activity; sid:4005831; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain wmail.gotdns.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wmail.gotdns.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wmail\.gotdns\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005832; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain xxcase.gotdns.com"; dns.query; content:"xxcase.gotdns.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])xxcase\.gotdns\.com$/i"; classtype:trojan-activity; sid:4005841; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain xxcase.gotdns.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"xxcase.gotdns.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])xxcase\.gotdns\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005842; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain romadc.homelinux.com"; dns.query; content:"romadc.homelinux.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])romadc\.homelinux\.com$/i"; classtype:trojan-activity; sid:4005851; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain romadc.homelinux.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"romadc.homelinux.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])romadc\.homelinux\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005852; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain 3389temp.dyndns.org"; dns.query; content:"3389temp.dyndns.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])3389temp\.dyndns\.org$/i"; classtype:trojan-activity; sid:4005861; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain 3389temp.dyndns.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"3389temp.dyndns.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])3389temp\.dyndns\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005862; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain ahcase.gotdns.com"; dns.query; content:"ahcase.gotdns.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ahcase\.gotdns\.com$/i"; classtype:trojan-activity; sid:4005871; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain ahcase.gotdns.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ahcase.gotdns.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ahcase\.gotdns\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005872; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain kcase.gotdns.com"; dns.query; content:"kcase.gotdns.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])kcase\.gotdns\.com$/i"; classtype:trojan-activity; sid:4005881; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain kcase.gotdns.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kcase.gotdns.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kcase\.gotdns\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005882; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain 3389pi.servegame.org"; dns.query; content:"3389pi.servegame.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])3389pi\.servegame\.org$/i"; classtype:trojan-activity; sid:4005891; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain 3389pi.servegame.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"3389pi.servegame.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])3389pi\.servegame\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005892; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain flashcard.gotdns.com"; dns.query; content:"flashcard.gotdns.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])flashcard\.gotdns\.com$/i"; classtype:trojan-activity; sid:4005901; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain flashcard.gotdns.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"flashcard.gotdns.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])flashcard\.gotdns\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005902; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain update.homelinux.com"; dns.query; content:"update.homelinux.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])update\.homelinux\.com$/i"; classtype:trojan-activity; sid:4005911; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain update.homelinux.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"update.homelinux.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])update\.homelinux\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005912; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain 3389.homeunix.org"; dns.query; content:"3389.homeunix.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])3389\.homeunix\.org$/i"; classtype:trojan-activity; sid:4005921; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain 3389.homeunix.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"3389.homeunix.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])3389\.homeunix\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005922; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain flashgame.gotdns.com"; dns.query; content:"flashgame.gotdns.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])flashgame\.gotdns\.com$/i"; classtype:trojan-activity; sid:4005931; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain flashgame.gotdns.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"flashgame.gotdns.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])flashgame\.gotdns\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005932; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain anhei.gotdns.com"; dns.query; content:"anhei.gotdns.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])anhei\.gotdns\.com$/i"; classtype:trojan-activity; sid:4005941; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain anhei.gotdns.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"anhei.gotdns.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])anhei\.gotdns\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005942; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain xcase.gotdns.com"; dns.query; content:"xcase.gotdns.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])xcase\.gotdns\.com$/i"; classtype:trojan-activity; sid:4005951; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain xcase.gotdns.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"xcase.gotdns.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])xcase\.gotdns\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005952; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain education.suroot.com"; dns.query; content:"education.suroot.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])education\.suroot\.com$/i"; classtype:trojan-activity; sid:4005961; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain education.suroot.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"education.suroot.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])education\.suroot\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005962; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain server.organiccrap.com"; dns.query; content:"server.organiccrap.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])server\.organiccrap\.com$/i"; classtype:trojan-activity; sid:4005971; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain server.organiccrap.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"server.organiccrap.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])server\.organiccrap\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005972; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain pricetag.deaftone.com"; dns.query; content:"pricetag.deaftone.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pricetag\.deaftone\.com$/i"; classtype:trojan-activity; sid:4005981; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain pricetag.deaftone.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pricetag.deaftone.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pricetag\.deaftone\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4005982; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain williamsblog.dtdns.net"; dns.query; content:"williamsblog.dtdns.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])williamsblog\.dtdns\.net$/i"; classtype:trojan-activity; sid:4006001; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain williamsblog.dtdns.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"williamsblog.dtdns.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])williamsblog\.dtdns\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4006002; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain smith.dtdns.net"; dns.query; content:"smith.dtdns.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])smith\.dtdns\.net$/i"; classtype:trojan-activity; sid:4006011; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain smith.dtdns.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"smith.dtdns.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])smith\.dtdns\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4006012; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert dns any any -> any any (msg: "MISP e10 [tlp:white] Domain durant.dumb1.com"; dns.query; content:"durant.dumb1.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])durant\.dumb1\.com$/i"; classtype:trojan-activity; sid:4006021; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e10 [tlp:white] Outgoing HTTP Domain durant.dumb1.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"durant.dumb1.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])durant\.dumb1\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4006022; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert ip $HOME_NET any -> 103.226.127.47 any (msg: "MISP e10 [tlp:white] Outgoing To IP: 103.226.127.47"; classtype:trojan-activity; sid:4006031; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert ip $HOME_NET any -> 104.156.239.105 any (msg: "MISP e10 [tlp:white] Outgoing To IP: 104.156.239.105"; classtype:trojan-activity; sid:4006041; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert ip $HOME_NET any -> 112.167.143.179 any (msg: "MISP e10 [tlp:white] Outgoing To IP: 112.167.143.179"; classtype:trojan-activity; sid:4006051; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert ip $HOME_NET any -> 115.144.107.22 any (msg: "MISP e10 [tlp:white] Outgoing To IP: 115.144.107.22"; classtype:trojan-activity; sid:4006061; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert ip $HOME_NET any -> 115.144.107.46 any (msg: "MISP e10 [tlp:white] Outgoing To IP: 115.144.107.46"; classtype:trojan-activity; sid:4006071; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert ip $HOME_NET any -> 115.144.107.52 any (msg: "MISP e10 [tlp:white] Outgoing To IP: 115.144.107.52"; classtype:trojan-activity; sid:4006081; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert ip $HOME_NET any -> 115.144.107.53 any (msg: "MISP e10 [tlp:white] Outgoing To IP: 115.144.107.53"; classtype:trojan-activity; sid:4006091; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert ip $HOME_NET any -> 115.144.107.134 any (msg: "MISP e10 [tlp:white] Outgoing To IP: 115.144.107.134"; classtype:trojan-activity; sid:4006101; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert ip $HOME_NET any -> 115.144.166.209 any (msg: "MISP e10 [tlp:white] Outgoing To IP: 115.144.166.209"; classtype:trojan-activity; sid:4006111; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert ip $HOME_NET any -> 43.248.8.249 any (msg: "MISP e10 [tlp:white] Outgoing To IP: 43.248.8.249"; classtype:trojan-activity; sid:4006121; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/10;) alert ip $HOME_NET any -> 5.149.254.114 any (msg: "MISP e8 [tlp:white] Outgoing To IP: 5.149.254.114"; classtype:trojan-activity; sid:4004981; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/8;) alert ip $HOME_NET any -> 5.9.32.230 any (msg: "MISP e8 [tlp:white] Outgoing To IP: 5.9.32.230"; classtype:trojan-activity; sid:4004991; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/8;) alert ip $HOME_NET any -> 31.210.111.154 any (msg: "MISP e8 [tlp:white] Outgoing To IP: 31.210.111.154"; classtype:trojan-activity; sid:4005001; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/8;) alert ip $HOME_NET any -> 88.198.25.92 any (msg: "MISP e8 [tlp:white] Outgoing To IP: 88.198.25.92"; classtype:trojan-activity; sid:4005011; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/8;) alert ip $HOME_NET any -> 146.0.74.7 any (msg: "MISP e8 [tlp:white] Outgoing To IP: 146.0.74.7"; classtype:trojan-activity; sid:4005021; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/8;) alert ip $HOME_NET any -> 188.40.8.72 any (msg: "MISP e8 [tlp:white] Outgoing To IP: 188.40.8.72"; classtype:trojan-activity; sid:4005031; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/8;) alert dns any any -> any any (msg: "MISP e12 [tlp:white] Domain www.forum-mil.net"; dns.query; content:"www.forum-mil.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.forum\-mil\.net$/i"; classtype:trojan-activity; sid:4006651; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e12 [tlp:white] Outgoing HTTP Domain www.forum-mil.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"www.forum-mil.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.forum\-mil\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4006652; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert dns any any -> any any (msg: "MISP e12 [tlp:white] Domain www.tvzvezda.net"; dns.query; content:"www.tvzvezda.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.tvzvezda\.net$/i"; classtype:trojan-activity; sid:4006681; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e12 [tlp:white] Outgoing HTTP Domain www.tvzvezda.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"www.tvzvezda.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.tvzvezda\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4006682; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e12 [tlp:white] Outgoing URL http|3a|//inosmi.ru/russia/20150818/229690166.html"; flow:to_server,established; http.header; content:"inosmi.ru"; fast_pattern; nocase; http.uri; content:"/russia/20150818/229690166.html"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4006691; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert dns any any -> any any (msg: "MISP e12 [tlp:white] Domain arms-expo.net"; dns.query; content:"arms-expo.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])arms\-expo\.net$/i"; classtype:trojan-activity; sid:4006701; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e12 [tlp:white] Outgoing HTTP Domain arms-expo.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"arms-expo.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])arms\-expo\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4006702; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert dns any any -> any any (msg: "MISP e12 [tlp:white] Domain forum-mil.net"; dns.query; content:"forum-mil.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])forum\-mil\.net$/i"; classtype:trojan-activity; sid:4006711; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e12 [tlp:white] Outgoing HTTP Domain forum-mil.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"forum-mil.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])forum\-mil\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4006712; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert dns any any -> any any (msg: "MISP e12 [tlp:white] Domain tvzvezda.net"; dns.query; content:"tvzvezda.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])tvzvezda\.net$/i"; classtype:trojan-activity; sid:4006721; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e12 [tlp:white] Outgoing HTTP Domain tvzvezda.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tvzvezda.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tvzvezda\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4006722; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert dns any any -> any any (msg: "MISP e12 [tlp:white] Domain patriotp.com"; dns.query; content:"patriotp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])patriotp\.com$/i"; classtype:trojan-activity; sid:4006741; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e12 [tlp:white] Outgoing HTTP Domain patriotp.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"patriotp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])patriotp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4006742; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e12 [tlp:white] Source Email Address: gengd@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"gengd@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4006821; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e12 [tlp:white] Source Email Address: hsdf@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"hsdf@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4006831; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e12 [tlp:white] Source Email Address: dolphin@yahoo.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"dolphin@yahoo.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4006841; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e12 [tlp:white] Source Email Address: comgjklsdf@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"comgjklsdf@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4006851; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert dns any any -> any any (msg: "MISP e12 [tlp:white] Domain www.pressmil.com"; dns.query; content:"www.pressmil.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.pressmil\.com$/i"; classtype:trojan-activity; sid:4006911; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e12 [tlp:white] Outgoing HTTP Domain www.pressmil.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"www.pressmil.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.pressmil\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4006912; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert ip $HOME_NET any -> 43.252.175.119 any (msg: "MISP e12 [tlp:white] Outgoing To IP: 43.252.175.119"; classtype:trojan-activity; sid:4006921; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert ip $HOME_NET any -> 123.254.104.50 any (msg: "MISP e12 [tlp:white] Outgoing To IP: 123.254.104.50"; classtype:trojan-activity; sid:4006931; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert dns any any -> any any (msg: "MISP e12 [tlp:white] Domain pressmil.com"; dns.query; content:"pressmil.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pressmil\.com$/i"; classtype:trojan-activity; sid:4006941; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e12 [tlp:white] Outgoing HTTP Domain pressmil.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pressmil.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pressmil\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4006942; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert dns any any -> any any (msg: "MISP e12 [tlp:white] Domain notebookhk.net"; dns.query; content:"notebookhk.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])notebookhk\.net$/i"; classtype:trojan-activity; sid:4006951; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e12 [tlp:white] Outgoing HTTP Domain notebookhk.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"notebookhk.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])notebookhk\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4006952; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert dns any any -> any any (msg: "MISP e12 [tlp:white] Domain fedpress.net"; dns.query; content:"fedpress.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])fedpress\.net$/i"; classtype:trojan-activity; sid:4006961; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e12 [tlp:white] Outgoing HTTP Domain fedpress.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fedpress.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fedpress\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4006962; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert dns any any -> any any (msg: "MISP e12 [tlp:white] Domain dicemention.com"; dns.query; content:"dicemention.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])dicemention\.com$/i"; classtype:trojan-activity; sid:4006971; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e12 [tlp:white] Outgoing HTTP Domain dicemention.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dicemention.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dicemention\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4006972; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert dns any any -> any any (msg: "MISP e12 [tlp:white] Domain business-isa.mynetav.org"; dns.query; content:"business-isa.mynetav.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])business\-isa\.mynetav\.org$/i"; classtype:trojan-activity; sid:4006981; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e12 [tlp:white] Outgoing HTTP Domain business-isa.mynetav.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"business-isa.mynetav.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])business\-isa\.mynetav\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4006982; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert dns any any -> any any (msg: "MISP e12 [tlp:white] Domain business-rsa.onmypc.org"; dns.query; content:"business-rsa.onmypc.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])business\-rsa\.onmypc\.org$/i"; classtype:trojan-activity; sid:4006991; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e12 [tlp:white] Outgoing HTTP Domain business-rsa.onmypc.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"business-rsa.onmypc.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])business\-rsa\.onmypc\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4006992; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert dns any any -> any any (msg: "MISP e12 [tlp:white] Domain blacktan.cn"; dns.query; content:"blacktan.cn"; nocase; pcre: "/(^|[^A-Za-z0-9-])blacktan\.cn$/i"; classtype:trojan-activity; sid:4007001; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e12 [tlp:white] Outgoing HTTP Domain blacktan.cn"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"blacktan.cn"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])blacktan\.cn[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4007002; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert dns any any -> any any (msg: "MISP e12 [tlp:white] Domain leeghost.com"; dns.query; content:"leeghost.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])leeghost\.com$/i"; classtype:trojan-activity; sid:4007011; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e12 [tlp:white] Outgoing HTTP Domain leeghost.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"leeghost.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])leeghost\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4007012; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert dns any any -> any any (msg: "MISP e12 [tlp:white] Domain www.leeghost.com"; dns.query; content:"www.leeghost.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.leeghost\.com$/i"; classtype:trojan-activity; sid:4007041; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e12 [tlp:white] Outgoing HTTP Domain www.leeghost.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"www.leeghost.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.leeghost\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4007042; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert dns any any -> any any (msg: "MISP e12 [tlp:white] Domain www.dicemention.com"; dns.query; content:"www.dicemention.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.dicemention\.com$/i"; classtype:trojan-activity; sid:4007071; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e12 [tlp:white] Outgoing HTTP Domain www.dicemention.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"www.dicemention.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.dicemention\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4007072; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert dns any any -> any any (msg: "MISP e12 [tlp:white] Domain darkst.com"; dns.query; content:"darkst.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])darkst\.com$/i"; classtype:trojan-activity; sid:4007081; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e12 [tlp:white] Outgoing HTTP Domain darkst.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"darkst.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])darkst\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4007082; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert dns any any -> any any (msg: "MISP e12 [tlp:white] Domain fsg2.cn"; dns.query; content:"fsg2.cn"; nocase; pcre: "/(^|[^A-Za-z0-9-])fsg2\.cn$/i"; classtype:trojan-activity; sid:4007091; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e12 [tlp:white] Outgoing HTTP Domain fsg2.cn"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fsg2.cn"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fsg2\.cn[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4007092; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e12 [tlp:white] Outgoing URL http|3a|//www.arms-expo.net/news/content/387206.rar"; flow:to_server,established; http.header; content:"www.arms-expo.net"; fast_pattern; nocase; http.uri; content:"/news/content/387206.rar"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4007111; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e12 [tlp:white] Outgoing URL http|3a|//arms-expo.net/news/content/day_2015-08-20.rar"; flow:to_server,established; http.header; content:"arms-expo.net"; fast_pattern; nocase; http.uri; content:"/news/content/day_2015-08-20.rar"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4007121; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e12 [tlp:white] Outgoing URL http|3a|//arms-expo.net/news/samaia_mochnaia_iagernaia_bomba_v_istorii.rar"; flow:to_server,established; http.header; content:"arms-expo.net"; fast_pattern; nocase; http.uri; content:"/news/samaia_mochnaia_iagernaia_bomba_v_istorii.rar"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4007131; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e12 [tlp:white] Outgoing URL http|3a|//www.arms-expo.net/news/content/20150818.rar"; flow:to_server,established; http.header; content:"www.arms-expo.net"; fast_pattern; nocase; http.uri; content:"/news/content/20150818.rar"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4007141; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e12 [tlp:white] Outgoing URL http|3a|//www.tvzvezda.net/news/forces/content/201508181025.rar"; flow:to_server,established; http.header; content:"www.tvzvezda.net"; fast_pattern; nocase; http.uri; content:"/news/forces/content/201508181025.rar"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4007151; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e12 [tlp:white] Outgoing URL http|3a|//www.arms-expo.net/news/content/20150818.zip"; flow:to_server,established; http.header; content:"www.arms-expo.net"; fast_pattern; nocase; http.uri; content:"/news/content/20150818.zip"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4007161; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e12 [tlp:white] Outgoing URL http|3a|//www.arms-expo.net/news/content/Day_2015-08-20.rar"; flow:to_server,established; http.header; content:"www.arms-expo.net"; fast_pattern; nocase; http.uri; content:"/news/content/Day_2015-08-20.rar"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4007171; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e12 [tlp:white] Outgoing URL http|3a|//www.arms-expo.net/news/content/VTC.rar"; flow:to_server,established; http.header; content:"www.arms-expo.net"; fast_pattern; nocase; http.uri; content:"/news/content/VTC.rar"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4007181; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e12 [tlp:white] Outgoing URL http|3a|//www.forum-mil.net/news/2015-08-03-3001.rar"; flow:to_server,established; http.header; content:"www.forum-mil.net"; fast_pattern; nocase; http.uri; content:"/news/2015-08-03-3001.rar"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4007211; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert dns any any -> any any (msg: "MISP e12 [tlp:white] Domain www.arms-expo.net"; dns.query; content:"www.arms-expo.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.arms\-expo\.net$/i"; classtype:trojan-activity; sid:4007221; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e12 [tlp:white] Outgoing HTTP Domain www.arms-expo.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"www.arms-expo.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.arms\-expo\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4007222; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e12 [tlp:white] Source Email Address: darkteam...@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"darkteam...@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4007241; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/12;) alert dns any any -> any any (msg: "MISP e13 [tlp:white] Domain www.cbppnews.com"; dns.query; content:"www.cbppnews.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.cbppnews\.com$/i"; classtype:trojan-activity; sid:4007761; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e13 [tlp:white] Outgoing HTTP Domain www.cbppnews.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"www.cbppnews.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.cbppnews\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4007762; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/13;) alert dns any any -> any any (msg: "MISP e13 [tlp:white] Domain cdn.sanecat.com"; dns.query; content:"cdn.sanecat.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])cdn\.sanecat\.com$/i"; classtype:trojan-activity; sid:4007771; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e13 [tlp:white] Outgoing HTTP Domain cdn.sanecat.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cdn.sanecat.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cdn\.sanecat\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4007772; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/13;) alert dns any any -> any any (msg: "MISP e13 [tlp:white] Domain inocnation.com"; dns.query; content:"inocnation.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])inocnation\.com$/i"; classtype:trojan-activity; sid:4007781; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e13 [tlp:white] Outgoing HTTP Domain inocnation.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"inocnation.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])inocnation\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4007782; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/13;) alert ip $HOME_NET any -> 180.210.206.246 any (msg: "MISP e13 [tlp:white] Outgoing To IP: 180.210.206.246"; classtype:trojan-activity; sid:4007791; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/13;) alert dns any any -> any any (msg: "MISP e13 [tlp:white] Domain we11point.com"; dns.query; content:"we11point.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])we11point\.com$/i"; classtype:trojan-activity; sid:4007801; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e13 [tlp:white] Outgoing HTTP Domain we11point.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"we11point.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])we11point\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4007802; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/13;) alert dns any any -> any any (msg: "MISP e13 [tlp:white] Domain oa.ameteksen.com"; dns.query; content:"oa.ameteksen.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])oa\.ameteksen\.com$/i"; classtype:trojan-activity; sid:4007811; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e13 [tlp:white] Outgoing HTTP Domain oa.ameteksen.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"oa.ameteksen.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])oa\.ameteksen\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4007812; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/13;) alert dns any any -> any any (msg: "MISP e13 [tlp:white] Domain webmail.vipreclod.com"; dns.query; content:"webmail.vipreclod.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])webmail\.vipreclod\.com$/i"; classtype:trojan-activity; sid:4007821; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e13 [tlp:white] Outgoing HTTP Domain webmail.vipreclod.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"webmail.vipreclod.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])webmail\.vipreclod\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4007822; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/13;) alert dns any any -> any any (msg: "MISP e13 [tlp:white] Domain capstone.homeftp.net"; dns.query; content:"capstone.homeftp.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])capstone\.homeftp\.net$/i"; classtype:trojan-activity; sid:4007831; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e13 [tlp:white] Outgoing HTTP Domain capstone.homeftp.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"capstone.homeftp.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])capstone\.homeftp\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4007832; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/13;) alert dns any any -> any any (msg: "MISP e14 [tlp:white] Domain 37atypz123.dns-bind9.com"; dns.query; content:"37atypz123.dns-bind9.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])37atypz123\.dns\-bind9\.com$/i"; classtype:trojan-activity; sid:4008501; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/14;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e14 [tlp:white] Outgoing HTTP Domain 37atypz123.dns-bind9.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"37atypz123.dns-bind9.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])37atypz123\.dns\-bind9\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4008502; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/14;) alert dns any any -> any any (msg: "MISP e14 [tlp:white] Domain 5ppob16.dockerjsbin.com"; dns.query; content:"5ppob16.dockerjsbin.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])5ppob16\.dockerjsbin\.com$/i"; classtype:trojan-activity; sid:4008511; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/14;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e14 [tlp:white] Outgoing HTTP Domain 5ppob16.dockerjsbin.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"5ppob16.dockerjsbin.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])5ppob16\.dockerjsbin\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4008512; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/14;) alert dns any any -> any any (msg: "MISP e14 [tlp:white] Domain 87abfg113.dockerjsbin.com"; dns.query; content:"87abfg113.dockerjsbin.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])87abfg113\.dockerjsbin\.com$/i"; classtype:trojan-activity; sid:4008521; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/14;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e14 [tlp:white] Outgoing HTTP Domain 87abfg113.dockerjsbin.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"87abfg113.dockerjsbin.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])87abfg113\.dockerjsbin\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4008522; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/14;) alert dns any any -> any any (msg: "MISP e14 [tlp:white] Domain 87pqxz159.dockerjsbin.com"; dns.query; content:"87pqxz159.dockerjsbin.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])87pqxz159\.dockerjsbin\.com$/i"; classtype:trojan-activity; sid:4008531; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/14;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e14 [tlp:white] Outgoing HTTP Domain 87pqxz159.dockerjsbin.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"87pqxz159.dockerjsbin.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])87pqxz159\.dockerjsbin\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4008532; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/14;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e15 [tlp:white] Outgoing URL http|3a|//www.moi.gov.mm"; flow:to_server,established; http.header; content:"www.moi.gov.mm"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4008751; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e15 [tlp:white] Outgoing URL http|3a|//www.uecmyanmar.org"; flow:to_server,established; http.header; content:"www.uecmyanmar.org"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4008761; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert dns any any -> any any (msg: "MISP e15 [tlp:white] Domain www.moi.gov.mm"; dns.query; content:"www.moi.gov.mm"; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.moi\.gov\.mm$/i"; classtype:trojan-activity; sid:4008771; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e15 [tlp:white] Outgoing HTTP Domain www.moi.gov.mm"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"www.moi.gov.mm"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.moi\.gov\.mm[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4008772; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert dns any any -> any any (msg: "MISP e15 [tlp:white] Domain usafbi.websecexp.com"; dns.query; content:"usafbi.websecexp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])usafbi\.websecexp\.com$/i"; classtype:trojan-activity; sid:4008781; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e15 [tlp:white] Outgoing HTTP Domain usafbi.websecexp.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"usafbi.websecexp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])usafbi\.websecexp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4008782; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert dns any any -> any any (msg: "MISP e15 [tlp:white] Domain usacia.websecexp.com"; dns.query; content:"usacia.websecexp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])usacia\.websecexp\.com$/i"; classtype:trojan-activity; sid:4008791; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e15 [tlp:white] Outgoing HTTP Domain usacia.websecexp.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"usacia.websecexp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])usacia\.websecexp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4008792; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert dns any any -> any any (msg: "MISP e15 [tlp:white] Domain webhttps.websecexp.com"; dns.query; content:"webhttps.websecexp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])webhttps\.websecexp\.com$/i"; classtype:trojan-activity; sid:4008801; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e15 [tlp:white] Outgoing HTTP Domain webhttps.websecexp.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"webhttps.websecexp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])webhttps\.websecexp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4008802; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert dns any any -> any any (msg: "MISP e15 [tlp:white] Domain appeur.gnway.cc"; dns.query; content:"appeur.gnway.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-])appeur\.gnway\.cc$/i"; classtype:trojan-activity; sid:4008811; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e15 [tlp:white] Outgoing HTTP Domain appeur.gnway.cc"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"appeur.gnway.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])appeur\.gnway\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4008812; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert dns any any -> any any (msg: "MISP e15 [tlp:white] Domain www.uecmyanmar.org"; dns.query; content:"www.uecmyanmar.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.uecmyanmar\.org$/i"; classtype:trojan-activity; sid:4008821; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e15 [tlp:white] Outgoing HTTP Domain www.uecmyanmar.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"www.uecmyanmar.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.uecmyanmar\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4008822; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e15 [tlp:white] Outgoing URL http|3a|//www.hjclub.info/bbs/uploadfiles/45/ca-bundle.exe"; flow:to_server,established; http.header; content:"www.hjclub.info"; fast_pattern; nocase; http.uri; content:"/bbs/uploadfiles/45/ca-bundle.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4008831; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e15 [tlp:white] Outgoing URL http|3a|//client.mailsecurityservice.com/ViewClient/connect.php?n=zxishanchu1106.exe"; flow:to_server,established; http.header; content:"client.mailsecurityservice.com"; fast_pattern; nocase; http.uri; content:"/ViewClient/connect.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4008841; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert ip $HOME_NET any -> 118.193.212.98 any (msg: "MISP e15 [tlp:white] Outgoing To IP: 118.193.212.98"; classtype:trojan-activity; sid:4008851; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert dns any any -> any any (msg: "MISP e15 [tlp:white] Domain hjclub.info"; dns.query; content:"hjclub.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])hjclub\.info$/i"; classtype:trojan-activity; sid:4008861; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e15 [tlp:white] Outgoing HTTP Domain hjclub.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hjclub.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hjclub\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4008862; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert dns any any -> any any (msg: "MISP e15 [tlp:white] Domain www.hjclub.info"; dns.query; content:"www.hjclub.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.hjclub\.info$/i"; classtype:trojan-activity; sid:4008871; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e15 [tlp:white] Outgoing HTTP Domain www.hjclub.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"www.hjclub.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.hjclub\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4008872; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert dns any any -> any any (msg: "MISP e15 [tlp:white] Domain t2.mailsecurityservice.com"; dns.query; content:"t2.mailsecurityservice.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])t2\.mailsecurityservice\.com$/i"; classtype:trojan-activity; sid:4008881; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e15 [tlp:white] Outgoing HTTP Domain t2.mailsecurityservice.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"t2.mailsecurityservice.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])t2\.mailsecurityservice\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4008882; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert dns any any -> any any (msg: "MISP e15 [tlp:white] Domain t1.mailsecurityservice.com"; dns.query; content:"t1.mailsecurityservice.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])t1\.mailsecurityservice\.com$/i"; classtype:trojan-activity; sid:4008891; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e15 [tlp:white] Outgoing HTTP Domain t1.mailsecurityservice.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"t1.mailsecurityservice.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])t1\.mailsecurityservice\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4008892; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert dns any any -> any any (msg: "MISP e15 [tlp:white] Domain client.mailsecurityservice.com"; dns.query; content:"client.mailsecurityservice.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])client\.mailsecurityservice\.com$/i"; classtype:trojan-activity; sid:4008901; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e15 [tlp:white] Outgoing HTTP Domain client.mailsecurityservice.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"client.mailsecurityservice.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])client\.mailsecurityservice\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4008902; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert ip $HOME_NET any -> 198.44.190.85 any (msg: "MISP e15 [tlp:white] Outgoing To IP: 198.44.190.85"; classtype:trojan-activity; sid:4008931; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert ip $HOME_NET any -> 103.20.222.0 any (msg: "MISP e15 [tlp:white] Outgoing To IP: 103.20.222.0"; classtype:trojan-activity; sid:4008941; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert ip $HOME_NET any -> 59.44.49.88 any (msg: "MISP e15 [tlp:white] Outgoing To IP: 59.44.49.88"; classtype:trojan-activity; sid:4008951; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert dns any any -> any any (msg: "MISP e15 [tlp:white] Domain mailsecurityservice.com"; dns.query; content:"mailsecurityservice.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mailsecurityservice\.com$/i"; classtype:trojan-activity; sid:4008961; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e15 [tlp:white] Outgoing HTTP Domain mailsecurityservice.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mailsecurityservice.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mailsecurityservice\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4008962; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert dns any any -> any any (msg: "MISP e15 [tlp:white] Domain iyouthen.com"; dns.query; content:"iyouthen.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])iyouthen\.com$/i"; classtype:trojan-activity; sid:4008981; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e15 [tlp:white] Outgoing HTTP Domain iyouthen.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"iyouthen.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])iyouthen\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4008982; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert dns any any -> any any (msg: "MISP e15 [tlp:white] Domain gmail.iyouthen.com"; dns.query; content:"gmail.iyouthen.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])gmail\.iyouthen\.com$/i"; classtype:trojan-activity; sid:4008991; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e15 [tlp:white] Outgoing HTTP Domain gmail.iyouthen.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gmail.iyouthen.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gmail\.iyouthen\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4008992; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e15 [tlp:white] Source Email Address: wojiaojilao2@sohu.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"wojiaojilao2@sohu.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4009001; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/15;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain deyrep24.ddns.net"; dns.query; content:"deyrep24.ddns.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])deyrep24\.ddns\.net$/i"; classtype:trojan-activity; sid:4009311; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain deyrep24.ddns.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"deyrep24.ddns.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])deyrep24\.ddns\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009312; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert ip $HOME_NET any -> 50.62.133.49 any (msg: "MISP e17 [tlp:white] Outgoing To IP: 50.62.133.49"; classtype:trojan-activity; sid:4009321; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert ip $HOME_NET any -> 192.169.243.65 any (msg: "MISP e17 [tlp:white] Outgoing To IP: 192.169.243.65"; classtype:trojan-activity; sid:4009331; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain daynews.sytes.net"; dns.query; content:"daynews.sytes.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])daynews\.sytes\.net$/i"; classtype:trojan-activity; sid:4009341; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain daynews.sytes.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"daynews.sytes.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])daynews\.sytes\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009342; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain taskmgr.serveftp.com"; dns.query; content:"taskmgr.serveftp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])taskmgr\.serveftp\.com$/i"; classtype:trojan-activity; sid:4009351; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain taskmgr.serveftp.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"taskmgr.serveftp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])taskmgr\.serveftp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009352; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e17 [tlp:white] Source Email Address: claudiobonadio88@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"claudiobonadio88@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4009361; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e17 [tlp:white] Source Email Address: cfed.bonadio@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"cfed.bonadio@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4009371; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert ip $HOME_NET any -> 190.210.180.181 any (msg: "MISP e17 [tlp:white] Outgoing To IP: 190.210.180.181"; classtype:trojan-activity; sid:4009381; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert ip $HOME_NET any -> 201.52.24.126 any (msg: "MISP e17 [tlp:white] Outgoing To IP: 201.52.24.126"; classtype:trojan-activity; sid:4009391; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert ip $HOME_NET any -> 190.20.180.181 any (msg: "MISP e17 [tlp:white] Outgoing To IP: 190.20.180.181"; classtype:trojan-activity; sid:4009401; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert ip $HOME_NET any -> 186.220.1.84 any (msg: "MISP e17 [tlp:white] Outgoing To IP: 186.220.1.84"; classtype:trojan-activity; sid:4009411; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert ip $HOME_NET any -> 186.220.11.67 any (msg: "MISP e17 [tlp:white] Outgoing To IP: 186.220.11.67"; classtype:trojan-activity; sid:4009421; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert ip $HOME_NET any -> 189.100.148.188 any (msg: "MISP e17 [tlp:white] Outgoing To IP: 189.100.148.188"; classtype:trojan-activity; sid:4009431; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert ip $HOME_NET any -> 179.208.187.216 any (msg: "MISP e17 [tlp:white] Outgoing To IP: 179.208.187.216"; classtype:trojan-activity; sid:4009441; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain taskmgr.servehttp.com"; dns.query; content:"taskmgr.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])taskmgr\.servehttp\.com$/i"; classtype:trojan-activity; sid:4009451; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain taskmgr.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"taskmgr.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])taskmgr\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009452; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain taskmgr.redirectme.com"; dns.query; content:"taskmgr.redirectme.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])taskmgr\.redirectme\.com$/i"; classtype:trojan-activity; sid:4009461; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain taskmgr.redirectme.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"taskmgr.redirectme.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])taskmgr\.redirectme\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009462; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain ruley.no-ip.org"; dns.query; content:"ruley.no-ip.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])ruley\.no\-ip\.org$/i"; classtype:trojan-activity; sid:4009471; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain ruley.no-ip.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ruley.no-ip.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ruley\.no\-ip\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009472; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain lolinha.no-ip.org"; dns.query; content:"lolinha.no-ip.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])lolinha\.no\-ip\.org$/i"; classtype:trojan-activity; sid:4009481; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain lolinha.no-ip.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lolinha.no-ip.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lolinha\.no\-ip\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009482; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain wjwj.no-ip.org"; dns.query; content:"wjwj.no-ip.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])wjwj\.no\-ip\.org$/i"; classtype:trojan-activity; sid:4009491; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain wjwj.no-ip.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wjwj.no-ip.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wjwj\.no\-ip\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009492; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain conhost.servehttp.com"; dns.query; content:"conhost.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])conhost\.servehttp\.com$/i"; classtype:trojan-activity; sid:4009501; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain conhost.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"conhost.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])conhost\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009502; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain dllhost.servehttp.com"; dns.query; content:"dllhost.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])dllhost\.servehttp\.com$/i"; classtype:trojan-activity; sid:4009511; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain dllhost.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dllhost.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dllhost\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009512; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain wjwjwj.no-ip.org"; dns.query; content:"wjwjwj.no-ip.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])wjwjwj\.no\-ip\.org$/i"; classtype:trojan-activity; sid:4009521; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain wjwjwj.no-ip.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wjwjwj.no-ip.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wjwjwj\.no\-ip\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009522; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain wjwjwjwj.no-ip.org"; dns.query; content:"wjwjwjwj.no-ip.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])wjwjwjwj\.no\-ip\.org$/i"; classtype:trojan-activity; sid:4009531; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain wjwjwjwj.no-ip.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wjwjwjwj.no-ip.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wjwjwjwj\.no\-ip\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009532; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain ecuadorenvivo.co"; dns.query; content:"ecuadorenvivo.co"; nocase; pcre: "/(^|[^A-Za-z0-9-])ecuadorenvivo\.co$/i"; classtype:trojan-activity; sid:4009541; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain ecuadorenvivo.co"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ecuadorenvivo.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ecuadorenvivo\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009542; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain ecuadorenvivo.com"; dns.query; content:"ecuadorenvivo.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ecuadorenvivo\.com$/i"; classtype:trojan-activity; sid:4009551; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain ecuadorenvivo.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ecuadorenvivo.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ecuadorenvivo\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009552; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e17 [tlp:white] Outgoing URL http|3a|//ecuadorenvivo.com/videos/el-meme-que-volvio-loco-a-correa.html"; flow:to_server,established; http.header; content:"ecuadorenvivo.com"; fast_pattern; nocase; http.uri; content:"/videos/el-meme-que-volvio-loco-a-correa.html"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4009561; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e17 [tlp:white] Outgoing URL http|3a|//ecuadorenvivo.co/videos/el-meme-que-volvio-loco-a-correa.html"; flow:to_server,established; http.header; content:"ecuadorenvivo.co"; fast_pattern; nocase; http.uri; content:"/videos/el-meme-que-volvio-loco-a-correa.html"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4009571; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain www.movimientoanticorreista.com"; dns.query; content:"www.movimientoanticorreista.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.movimientoanticorreista\.com$/i"; classtype:trojan-activity; sid:4009581; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain www.movimientoanticorreista.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"www.movimientoanticorreista.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.movimientoanticorreista\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009582; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain focusecuador.tk"; dns.query; content:"focusecuador.tk"; nocase; pcre: "/(^|[^A-Za-z0-9-])focusecuador\.tk$/i"; classtype:trojan-activity; sid:4009601; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain focusecuador.tk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"focusecuador.tk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])focusecuador\.tk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009602; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e17 [tlp:white] Source Email Address: focusedtior1@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"focusedtior1@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4009611; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert ip $HOME_NET any -> 46.246.89.246 any (msg: "MISP e17 [tlp:white] Outgoing To IP: 46.246.89.246"; classtype:trojan-activity; sid:4009631; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain mesvr.com"; dns.query; content:"mesvr.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mesvr\.com$/i"; classtype:trojan-activity; sid:4009641; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain mesvr.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mesvr.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mesvr\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009642; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain ftp.ftpserver.com"; dns.query; content:"ftp.ftpserver.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ftp\.ftpserver\.com$/i"; classtype:trojan-activity; sid:4009691; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain ftp.ftpserver.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ftp.ftpserver.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ftp\.ftpserver\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009692; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain lavozamericana.info"; dns.query; content:"lavozamericana.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])lavozamericana\.info$/i"; classtype:trojan-activity; sid:4009701; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain lavozamericana.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lavozamericana.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lavozamericana\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009702; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain ec.cu9.co"; dns.query; content:"ec.cu9.co"; nocase; pcre: "/(^|[^A-Za-z0-9-])ec\.cu9\.co$/i"; classtype:trojan-activity; sid:4009711; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain ec.cu9.co"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ec.cu9.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ec\.cu9\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009712; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain movimientoanticorreista.com"; dns.query; content:"movimientoanticorreista.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])movimientoanticorreista\.com$/i"; classtype:trojan-activity; sid:4009721; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain movimientoanticorreista.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"movimientoanticorreista.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])movimientoanticorreista\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009722; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain mgoogle.us"; dns.query; content:"mgoogle.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])mgoogle\.us$/i"; classtype:trojan-activity; sid:4009731; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain mgoogle.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mgoogle.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mgoogle\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009732; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain no.response.delivery.es"; dns.query; content:"no.response.delivery.es"; nocase; pcre: "/(^|[^A-Za-z0-9-])no\.response\.delivery\.es$/i"; classtype:trojan-activity; sid:4009741; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain no.response.delivery.es"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"no.response.delivery.es"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])no\.response\.delivery\.es[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009742; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain cu9.co"; dns.query; content:"cu9.co"; nocase; pcre: "/(^|[^A-Za-z0-9-])cu9\.co$/i"; classtype:trojan-activity; sid:4009751; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain cu9.co"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cu9.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cu9\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009752; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e17 [tlp:white] Source Email Address: no.response.delivery.es@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"no.response.delivery.es@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4009771; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e17 [tlp:white] Outgoing URL http|3a|//mail.asambleanacional.gob.ec"; flow:to_server,established; http.header; content:"mail.asambleanacional.gob.ec"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4009781; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain asambleanacional-gob-ec.cu9.co"; dns.query; content:"asambleanacional-gob-ec.cu9.co"; nocase; pcre: "/(^|[^A-Za-z0-9-])asambleanacional\-gob\-ec\.cu9\.co$/i"; classtype:trojan-activity; sid:4009791; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain asambleanacional-gob-ec.cu9.co"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"asambleanacional-gob-ec.cu9.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])asambleanacional\-gob\-ec\.cu9\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009792; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain mail.asambleanacional.gob.ec"; dns.query; content:"mail.asambleanacional.gob.ec"; nocase; pcre: "/(^|[^A-Za-z0-9-])mail\.asambleanacional\.gob\.ec$/i"; classtype:trojan-activity; sid:4009801; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain mail.asambleanacional.gob.ec"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mail.asambleanacional.gob.ec"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mail\.asambleanacional\.gob\.ec[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009802; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert ip $HOME_NET any -> 198.12.150.249 any (msg: "MISP e17 [tlp:white] Outgoing To IP: 198.12.150.249"; classtype:trojan-activity; sid:4009811; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert ip $HOME_NET any -> 50.63.202.57 any (msg: "MISP e17 [tlp:white] Outgoing To IP: 50.63.202.57"; classtype:trojan-activity; sid:4009821; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain formmail.com"; dns.query; content:"formmail.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])formmail\.com$/i"; classtype:trojan-activity; sid:4009831; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain formmail.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"formmail.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])formmail\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009832; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert ip $HOME_NET any -> 193.105.134.27 any (msg: "MISP e17 [tlp:white] Outgoing To IP: 193.105.134.27"; classtype:trojan-activity; sid:4009841; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain login-office365.com"; dns.query; content:"login-office365.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])login\-office365\.com$/i"; classtype:trojan-activity; sid:4009851; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain login-office365.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"login-office365.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])login\-office365\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009852; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain pancaliente.info"; dns.query; content:"pancaliente.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])pancaliente\.info$/i"; classtype:trojan-activity; sid:4009871; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain pancaliente.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pancaliente.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pancaliente\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009872; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain focusecuador.net"; dns.query; content:"focusecuador.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])focusecuador\.net$/i"; classtype:trojan-activity; sid:4009881; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain focusecuador.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"focusecuador.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])focusecuador\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009882; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e17 [tlp:white] Source Email Address: enripintos123@outlook.es"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"enripintos123@outlook.es"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4009891; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e17 [tlp:white] Source Email Address: movimiento.anti.correista@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"movimiento.anti.correista@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4009911; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain gmail.com.msg07.xyz"; dns.query; content:"gmail.com.msg07.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])gmail\.com\.msg07\.xyz$/i"; classtype:trojan-activity; sid:4009921; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain gmail.com.msg07.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gmail.com.msg07.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gmail\.com\.msg07\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009922; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain supportgmai1.com"; dns.query; content:"supportgmai1.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])supportgmai1\.com$/i"; classtype:trojan-activity; sid:4009931; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain supportgmai1.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"supportgmai1.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])supportgmai1\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009932; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain chavistas24.com"; dns.query; content:"chavistas24.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])chavistas24\.com$/i"; classtype:trojan-activity; sid:4009941; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain chavistas24.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"chavistas24.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])chavistas24\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009942; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e17 [tlp:white] Source Email Address: no-responder@supportgmai1.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"no-responder@supportgmai1.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4009951; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain ns1.hostinger.ru"; dns.query; content:"ns1.hostinger.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])ns1\.hostinger\.ru$/i"; classtype:trojan-activity; sid:4009961; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain ns1.hostinger.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ns1.hostinger.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ns1\.hostinger\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009962; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e17 [tlp:white] Outgoing URL http|3a|//pancaliente.info/los-negocios-secretos-de-leocenis-garcia-y-gonzalo-tirado"; flow:to_server,established; http.header; content:"pancaliente.info"; fast_pattern; nocase; http.uri; content:"/los-negocios-secretos-de-leocenis-garcia-y-gonzalo-tirado"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4009971; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e17 [tlp:white] Outgoing URL http|3a|//venezuela365.com/wp-content/uploads/2014/10/tirado-g-30|30 78|169.jpg"; flow:to_server,established; http.header; content:"venezuela365.com"; fast_pattern; nocase; http.uri; content:"/wp-content/uploads/2014/10/tirado-g-300x169.jpg"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4009981; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain venezuela365.com"; dns.query; content:"venezuela365.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])venezuela365\.com$/i"; classtype:trojan-activity; sid:4009991; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain venezuela365.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"venezuela365.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])venezuela365\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4009992; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain justicia-desvinculados.com"; dns.query; content:"justicia-desvinculados.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])justicia\-desvinculados\.com$/i"; classtype:trojan-activity; sid:4010021; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain justicia-desvinculados.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"justicia-desvinculados.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])justicia\-desvinculados\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010022; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain taskmgr.redirectme.net"; dns.query; content:"taskmgr.redirectme.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])taskmgr\.redirectme\.net$/i"; classtype:trojan-activity; sid:4010371; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain taskmgr.redirectme.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"taskmgr.redirectme.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])taskmgr\.redirectme\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010372; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain ftp.server.com"; dns.query; content:"ftp.server.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ftp\.server\.com$/i"; classtype:trojan-activity; sid:4010381; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain ftp.server.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ftp.server.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ftp\.server\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010382; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain update-outlook.info"; dns.query; content:"update-outlook.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])update\-outlook\.info$/i"; classtype:trojan-activity; sid:4010391; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain update-outlook.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"update-outlook.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])update\-outlook\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010392; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain deyrep.com"; dns.query; content:"deyrep.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])deyrep\.com$/i"; classtype:trojan-activity; sid:4010401; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain deyrep.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"deyrep.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])deyrep\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010402; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain support-whatsapp.com"; dns.query; content:"support-whatsapp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])support\-whatsapp\.com$/i"; classtype:trojan-activity; sid:4010411; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain support-whatsapp.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"support-whatsapp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])support\-whatsapp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010412; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain blackboxmusic.co"; dns.query; content:"blackboxmusic.co"; nocase; pcre: "/(^|[^A-Za-z0-9-])blackboxmusic\.co$/i"; classtype:trojan-activity; sid:4010421; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain blackboxmusic.co"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"blackboxmusic.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])blackboxmusic\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010422; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain www.blackboxmusic.co"; dns.query; content:"www.blackboxmusic.co"; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.blackboxmusic\.co$/i"; classtype:trojan-activity; sid:4010431; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain www.blackboxmusic.co"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"www.blackboxmusic.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.blackboxmusic\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010432; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain mail-account-update.com"; dns.query; content:"mail-account-update.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mail\-account\-update\.com$/i"; classtype:trojan-activity; sid:4010441; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain mail-account-update.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mail-account-update.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mail\-account\-update\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010442; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain lavozmericana.info"; dns.query; content:"lavozmericana.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])lavozmericana\.info$/i"; classtype:trojan-activity; sid:4010451; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain lavozmericana.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lavozmericana.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lavozmericana\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010452; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain support-java.com"; dns.query; content:"support-java.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])support\-java\.com$/i"; classtype:trojan-activity; sid:4010461; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain support-java.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"support-java.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])support\-java\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010462; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain n3.pancaliente.info"; dns.query; content:"n3.pancaliente.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])n3\.pancaliente\.info$/i"; classtype:trojan-activity; sid:4010471; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain n3.pancaliente.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"n3.pancaliente.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])n3\.pancaliente\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010472; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain n4.pancaliente.info"; dns.query; content:"n4.pancaliente.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])n4\.pancaliente\.info$/i"; classtype:trojan-activity; sid:4010481; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain n4.pancaliente.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"n4.pancaliente.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])n4\.pancaliente\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010482; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain ns1.deyrep.com"; dns.query; content:"ns1.deyrep.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ns1\.deyrep\.com$/i"; classtype:trojan-activity; sid:4010491; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain ns1.deyrep.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ns1.deyrep.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ns1\.deyrep\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010492; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain ns2.deyrep.com"; dns.query; content:"ns2.deyrep.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ns2\.deyrep\.com$/i"; classtype:trojan-activity; sid:4010501; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain ns2.deyrep.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ns2.deyrep.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ns2\.deyrep\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010502; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain n1.login-office365.com"; dns.query; content:"n1.login-office365.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])n1\.login\-office365\.com$/i"; classtype:trojan-activity; sid:4010511; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain n1.login-office365.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"n1.login-office365.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])n1\.login\-office365\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010512; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain n2.login-office365.com"; dns.query; content:"n2.login-office365.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])n2\.login\-office365\.com$/i"; classtype:trojan-activity; sid:4010521; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain n2.login-office365.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"n2.login-office365.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])n2\.login\-office365\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010522; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain n1.update-outlook.info"; dns.query; content:"n1.update-outlook.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])n1\.update\-outlook\.info$/i"; classtype:trojan-activity; sid:4010531; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain n1.update-outlook.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"n1.update-outlook.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])n1\.update\-outlook\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010532; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain ns.update-outlook.info"; dns.query; content:"ns.update-outlook.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])ns\.update\-outlook\.info$/i"; classtype:trojan-activity; sid:4010541; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain ns.update-outlook.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ns.update-outlook.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ns\.update\-outlook\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010542; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain s1.mgoogle.us"; dns.query; content:"s1.mgoogle.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])s1\.mgoogle\.us$/i"; classtype:trojan-activity; sid:4010551; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain s1.mgoogle.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"s1.mgoogle.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])s1\.mgoogle\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010552; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain s2.mgoogle.us"; dns.query; content:"s2.mgoogle.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])s2\.mgoogle\.us$/i"; classtype:trojan-activity; sid:4010561; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain s2.mgoogle.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"s2.mgoogle.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])s2\.mgoogle\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010562; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain support-login-validate-outlook.tk"; dns.query; content:"support-login-validate-outlook.tk"; nocase; pcre: "/(^|[^A-Za-z0-9-])support\-login\-validate\-outlook\.tk$/i"; classtype:trojan-activity; sid:4010571; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain support-login-validate-outlook.tk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"support-login-validate-outlook.tk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])support\-login\-validate\-outlook\.tk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010572; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain verify-gmail-support-secure.tk"; dns.query; content:"verify-gmail-support-secure.tk"; nocase; pcre: "/(^|[^A-Za-z0-9-])verify\-gmail\-support\-secure\.tk$/i"; classtype:trojan-activity; sid:4010581; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain verify-gmail-support-secure.tk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"verify-gmail-support-secure.tk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])verify\-gmail\-support\-secure\.tk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010582; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain soporte-login-account-gmail.tk"; dns.query; content:"soporte-login-account-gmail.tk"; nocase; pcre: "/(^|[^A-Za-z0-9-])soporte\-login\-account\-gmail\.tk$/i"; classtype:trojan-activity; sid:4010591; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain soporte-login-account-gmail.tk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"soporte-login-account-gmail.tk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])soporte\-login\-account\-gmail\.tk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010592; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain soporte-login-account-yahoo.tk"; dns.query; content:"soporte-login-account-yahoo.tk"; nocase; pcre: "/(^|[^A-Za-z0-9-])soporte\-login\-account\-yahoo\.tk$/i"; classtype:trojan-activity; sid:4010601; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain soporte-login-account-yahoo.tk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"soporte-login-account-yahoo.tk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])soporte\-login\-account\-yahoo\.tk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010602; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain n1.support-java.com"; dns.query; content:"n1.support-java.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])n1\.support\-java\.com$/i"; classtype:trojan-activity; sid:4010611; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain n1.support-java.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"n1.support-java.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])n1\.support\-java\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010612; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain n1.lavozamericana.info"; dns.query; content:"n1.lavozamericana.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])n1\.lavozamericana\.info$/i"; classtype:trojan-activity; sid:4010621; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain n1.lavozamericana.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"n1.lavozamericana.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])n1\.lavozamericana\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010622; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain s1.support"; dns.query; content:"s1.support"; nocase; pcre: "/(^|[^A-Za-z0-9-])s1\.support$/i"; classtype:trojan-activity; sid:4010631; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain s1.support"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"s1.support"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])s1\.support[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010632; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain ns1.ukraine.com.ua"; dns.query; content:"ns1.ukraine.com.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])ns1\.ukraine\.com\.ua$/i"; classtype:trojan-activity; sid:4010671; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain ns1.ukraine.com.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ns1.ukraine.com.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ns1\.ukraine\.com\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010672; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert dns any any -> any any (msg: "MISP e17 [tlp:white] Domain android-flash.com"; dns.query; content:"android-flash.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])android\-flash\.com$/i"; classtype:trojan-activity; sid:4010681; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e17 [tlp:white] Outgoing HTTP Domain android-flash.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"android-flash.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])android\-flash\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010682; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/17;) alert ip $HOME_NET any -> 59.188.0.197 any (msg: "MISP e18 [tlp:white] Outgoing To IP: 59.188.0.197"; classtype:trojan-activity; sid:4010741; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/18;) alert dns any any -> any any (msg: "MISP e18 [tlp:white] Domain accounts.serveftp.com"; dns.query; content:"accounts.serveftp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])accounts\.serveftp\.com$/i"; classtype:trojan-activity; sid:4010751; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/18;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e18 [tlp:white] Outgoing HTTP Domain accounts.serveftp.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"accounts.serveftp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])accounts\.serveftp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010752; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/18;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e18 [tlp:white] Outgoing URL http|3a|//www.ejinsight.com/20150831­hku­concern­group­raises­proxy­fears­in­key­vote"; flow:to_server,established; http.header; content:"www.ejinsight.com"; fast_pattern; nocase; http.uri; content:"/20150831­hku­concern­group­raises­proxy­fears­in­key­vote"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4010811; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/18;) alert dns any any -> any any (msg: "MISP e19 [tlp:white] Domain www.pca-cpa.org"; dns.query; content:"www.pca-cpa.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.pca\-cpa\.org$/i"; classtype:trojan-activity; sid:4010851; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/19;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e19 [tlp:white] Outgoing HTTP Domain www.pca-cpa.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"www.pca-cpa.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.pca\-cpa\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010852; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/19;) alert dns any any -> any any (msg: "MISP e19 [tlp:white] Domain pic.nicklockluckydog.org"; dns.query; content:"pic.nicklockluckydog.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])pic\.nicklockluckydog\.org$/i"; classtype:trojan-activity; sid:4010861; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/19;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e19 [tlp:white] Outgoing HTTP Domain pic.nicklockluckydog.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pic.nicklockluckydog.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pic\.nicklockluckydog\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010862; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/19;) alert dns any any -> any any (msg: "MISP e19 [tlp:white] Domain ssl.nicklockluckydog.org"; dns.query; content:"ssl.nicklockluckydog.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])ssl\.nicklockluckydog\.org$/i"; classtype:trojan-activity; sid:4010881; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/19;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e19 [tlp:white] Outgoing HTTP Domain ssl.nicklockluckydog.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ssl.nicklockluckydog.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ssl\.nicklockluckydog\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010882; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/19;) alert dns any any -> any any (msg: "MISP e19 [tlp:white] Domain books.blueworldlink2015.net"; dns.query; content:"books.blueworldlink2015.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])books\.blueworldlink2015\.net$/i"; classtype:trojan-activity; sid:4010891; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/19;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e19 [tlp:white] Outgoing HTTP Domain books.blueworldlink2015.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"books.blueworldlink2015.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])books\.blueworldlink2015\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010892; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/19;) alert dns any any -> any any (msg: "MISP e19 [tlp:white] Domain vpn.nicklockluckydog.org"; dns.query; content:"vpn.nicklockluckydog.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])vpn\.nicklockluckydog\.org$/i"; classtype:trojan-activity; sid:4010901; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/19;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e19 [tlp:white] Outgoing HTTP Domain vpn.nicklockluckydog.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vpn.nicklockluckydog.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vpn\.nicklockluckydog\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010902; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/19;) alert dns any any -> any any (msg: "MISP e19 [tlp:white] Domain blueworldlink2015.net"; dns.query; content:"blueworldlink2015.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])blueworldlink2015\.net$/i"; classtype:trojan-activity; sid:4010911; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/19;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e19 [tlp:white] Outgoing HTTP Domain blueworldlink2015.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"blueworldlink2015.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])blueworldlink2015\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010912; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/19;) alert dns any any -> any any (msg: "MISP e19 [tlp:white] Domain nicklockluckydog.org"; dns.query; content:"nicklockluckydog.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])nicklockluckydog\.org$/i"; classtype:trojan-activity; sid:4010931; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/19;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e19 [tlp:white] Outgoing HTTP Domain nicklockluckydog.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nicklockluckydog.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nicklockluckydog\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4010932; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/19;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e20 [tlp:white] Outgoing URL https|3a|//cognimuse.cs.ntua.gr/search.php"; tls.sni; content:"cognimuse.cs.ntua.gr"; tag:session,600,seconds; classtype:trojan-activity; sid:4011161; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/20;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e20 [tlp:white] Outgoing URL https|3a|//portal.sbn.co.th/rss.php"; tls.sni; content:"portal.sbn.co.th"; tag:session,600,seconds; classtype:trojan-activity; sid:4011171; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/20;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e20 [tlp:white] Outgoing URL https|3a|//97.75.120.45/news/archive.php"; tls.sni; content:"97.75.120.45"; tag:session,600,seconds; classtype:trojan-activity; sid:4011181; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/20;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e20 [tlp:white] Outgoing URL https|3a|//58.80.109.59/plugins/search.php"; tls.sni; content:"58.80.109.59"; tag:session,600,seconds; classtype:trojan-activity; sid:4011191; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/20;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e20 [tlp:white] Outgoing URL http|3a|//flockfilmseries.com/eFax/incoming/5442.ZIP"; flow:to_server,established; http.header; content:"flockfilmseries.com"; fast_pattern; nocase; http.uri; content:"/eFax/incoming/5442.ZIP"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4011201; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/20;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e20 [tlp:white] Outgoing URL http|3a|//www.recordsmanagementservices.com/eFax/incoming/150721/5442.ZIP"; flow:to_server,established; http.header; content:"www.recordsmanagementservices.com"; fast_pattern; nocase; http.uri; content:"/eFax/incoming/150721/5442.ZIP"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4011211; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/20;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e20 [tlp:white] Outgoing URL http|3a|//files.counseling.org/eFax/incoming/150721/5442.ZIP"; flow:to_server,established; http.header; content:"files.counseling.org"; fast_pattern; nocase; http.uri; content:"/eFax/incoming/150721/5442.ZIP"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4011221; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/20;) alert ip $HOME_NET any -> 97.75.120.45 any (msg: "MISP e20 [tlp:white] Outgoing To IP: 97.75.120.45"; classtype:trojan-activity; sid:4011231; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/20;) alert ip $HOME_NET any -> 58.80.109.59 any (msg: "MISP e20 [tlp:white] Outgoing To IP: 58.80.109.59"; classtype:trojan-activity; sid:4011241; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/20;) alert dns any any -> any any (msg: "MISP e20 [tlp:white] Domain cognimuse.cs.ntua.gr"; dns.query; content:"cognimuse.cs.ntua.gr"; nocase; pcre: "/(^|[^A-Za-z0-9-])cognimuse\.cs\.ntua\.gr$/i"; classtype:trojan-activity; sid:4011251; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/20;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e20 [tlp:white] Outgoing HTTP Domain cognimuse.cs.ntua.gr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cognimuse.cs.ntua.gr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cognimuse\.cs\.ntua\.gr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4011252; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/20;) alert dns any any -> any any (msg: "MISP e20 [tlp:white] Domain portal.sbn.co.th"; dns.query; content:"portal.sbn.co.th"; nocase; pcre: "/(^|[^A-Za-z0-9-])portal\.sbn\.co\.th$/i"; classtype:trojan-activity; sid:4011261; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/20;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e20 [tlp:white] Outgoing HTTP Domain portal.sbn.co.th"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"portal.sbn.co.th"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])portal\.sbn\.co\.th[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4011262; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/20;) alert dns any any -> any any (msg: "MISP e20 [tlp:white] Domain flockfilmseries.com"; dns.query; content:"flockfilmseries.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])flockfilmseries\.com$/i"; classtype:trojan-activity; sid:4011271; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/20;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e20 [tlp:white] Outgoing HTTP Domain flockfilmseries.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"flockfilmseries.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])flockfilmseries\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4011272; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/20;) alert dns any any -> any any (msg: "MISP e20 [tlp:white] Domain www.recordsmanagementservices.com"; dns.query; content:"www.recordsmanagementservices.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.recordsmanagementservices\.com$/i"; classtype:trojan-activity; sid:4011281; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/20;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e20 [tlp:white] Outgoing HTTP Domain www.recordsmanagementservices.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"www.recordsmanagementservices.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.recordsmanagementservices\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4011282; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/20;) alert dns any any -> any any (msg: "MISP e20 [tlp:white] Domain files.counseling.org"; dns.query; content:"files.counseling.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])files\.counseling\.org$/i"; classtype:trojan-activity; sid:4011291; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/20;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e20 [tlp:white] Outgoing HTTP Domain files.counseling.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"files.counseling.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])files\.counseling\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4011292; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/20;) alert dns any any -> any any (msg: "MISP e243 [misp-galaxy:mitre-malware="Kwampirs - S0236",tlp:white] Hostname iamnotthec2.ohl.io"; dns.query; content:"iamnotthec2.ohl.io"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])iamnotthec2\.ohl\.io$/i"; classtype:trojan-activity; sid:4101421; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/243;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e243 [misp-galaxy:mitre-malware="Kwampirs - S0236",tlp:white] Outgoing HTTP Hostname iamnotthec2.ohl.io"; flow:to_server,established; http.header; content: "Host|3a| iamnotthec2.ohl.io"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])iamnotthec2\.ohl\.io[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4101422; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/243;) alert ip $HOME_NET any -> 206.198.151.187 any (msg: "MISP e243 [misp-galaxy:mitre-malware="Kwampirs - S0236",tlp:white] Outgoing To IP: 206.198.151.187"; classtype:trojan-activity; sid:4101431; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/243;) alert dns any any -> any any (msg: "MISP e22 [tlp:white] Domain extranet.qualityplanning.com"; dns.query; content:"extranet.qualityplanning.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])extranet\.qualityplanning\.com$/i"; classtype:trojan-activity; sid:4011301; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/22;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e22 [tlp:white] Outgoing HTTP Domain extranet.qualityplanning.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"extranet.qualityplanning.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])extranet\.qualityplanning\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4011302; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/22;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e22 [tlp:white] Outgoing URL https|3a|//www.illuminatistudios.net/mobile/viewer.php"; tls.sni; content:"www.illuminatistudios.net"; tag:session,600,seconds; classtype:trojan-activity; sid:4011311; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/22;) alert dns any any -> any any (msg: "MISP e22 [tlp:white] Domain www.illuminatistudios.net"; dns.query; content:"www.illuminatistudios.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.illuminatistudios\.net$/i"; classtype:trojan-activity; sid:4011321; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/22;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e22 [tlp:white] Outgoing HTTP Domain www.illuminatistudios.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"www.illuminatistudios.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.illuminatistudios\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4011322; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/22;) alert ip $HOME_NET any -> 103.254.16.168 any (msg: "MISP e22 [tlp:white] Outgoing To IP: 103.254.16.168"; classtype:trojan-activity; sid:4011341; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/22;) alert ip $HOME_NET any -> 103.226.132.7 any (msg: "MISP e22 [tlp:white] Outgoing To IP: 103.226.132.7"; classtype:trojan-activity; sid:4011351; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/22;) alert dns any any -> any any (msg: "MISP e22 [tlp:white] Domain ff.whitebirchpaper.com"; dns.query; content:"ff.whitebirchpaper.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ff\.whitebirchpaper\.com$/i"; classtype:trojan-activity; sid:4011361; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/22;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e22 [tlp:white] Outgoing HTTP Domain ff.whitebirchpaper.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ff.whitebirchpaper.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ff\.whitebirchpaper\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4011362; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/22;) alert dns any any -> any any (msg: "MISP e22 [tlp:white] Domain visionresearch.com"; dns.query; content:"visionresearch.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])visionresearch\.com$/i"; classtype:trojan-activity; sid:4011371; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/22;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e22 [tlp:white] Outgoing HTTP Domain visionresearch.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"visionresearch.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])visionresearch\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4011372; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/22;) alert dns any any -> any any (msg: "MISP e22 [tlp:white] Domain betawebservices.ntnonline.com"; dns.query; content:"betawebservices.ntnonline.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])betawebservices\.ntnonline\.com$/i"; classtype:trojan-activity; sid:4011381; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/22;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e22 [tlp:white] Outgoing HTTP Domain betawebservices.ntnonline.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"betawebservices.ntnonline.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])betawebservices\.ntnonline\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4011382; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/22;) alert dns any any -> any any (msg: "MISP e22 [tlp:white] Domain staff.shasta.com"; dns.query; content:"staff.shasta.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])staff\.shasta\.com$/i"; classtype:trojan-activity; sid:4011391; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/22;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e22 [tlp:white] Outgoing HTTP Domain staff.shasta.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"staff.shasta.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])staff\.shasta\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4011392; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/22;) alert dns any any -> any any (msg: "MISP e22 [tlp:white] Domain secure.hgl.com"; dns.query; content:"secure.hgl.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])secure\.hgl\.com$/i"; classtype:trojan-activity; sid:4011401; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/22;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e22 [tlp:white] Outgoing HTTP Domain secure.hgl.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"secure.hgl.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])secure\.hgl\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4011402; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/22;) alert dns any any -> any any (msg: "MISP e22 [tlp:white] Domain illuminatistudios.net"; dns.query; content:"illuminatistudios.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])illuminatistudios\.net$/i"; classtype:trojan-activity; sid:4011411; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/22;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e22 [tlp:white] Outgoing HTTP Domain illuminatistudios.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"illuminatistudios.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])illuminatistudios\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4011412; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/22;) alert ip $HOME_NET any -> 122.228.193.115 any (msg: "MISP e22 [tlp:white] Outgoing To IP: 122.228.193.115"; classtype:trojan-activity; sid:4011441; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/22;) alert dns any any -> any any (msg: "MISP e22 [tlp:white] Domain connectads.com"; dns.query; content:"connectads.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])connectads\.com$/i"; classtype:trojan-activity; sid:4011451; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/22;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e22 [tlp:white] Outgoing HTTP Domain connectads.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"connectads.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])connectads\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4011452; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/22;) alert dns any any -> any any (msg: "MISP e22 [tlp:white] Domain kane-consulting.net"; dns.query; content:"kane-consulting.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])kane\-consulting\.net$/i"; classtype:trojan-activity; sid:4011461; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/22;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e22 [tlp:white] Outgoing HTTP Domain kane-consulting.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kane-consulting.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kane\-consulting\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4011462; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/22;) alert dns any any -> any any (msg: "MISP e22 [tlp:white] Domain edadmin.kearsney.com"; dns.query; content:"edadmin.kearsney.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])edadmin\.kearsney\.com$/i"; classtype:trojan-activity; sid:4011471; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/22;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e22 [tlp:white] Outgoing HTTP Domain edadmin.kearsney.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"edadmin.kearsney.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])edadmin\.kearsney\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4011472; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/22;) alert dns any any -> any any (msg: "MISP e22 [tlp:white] Domain redbluffchamber.com"; dns.query; content:"redbluffchamber.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])redbluffchamber\.com$/i"; classtype:trojan-activity; sid:4011481; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/22;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e22 [tlp:white] Outgoing HTTP Domain redbluffchamber.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"redbluffchamber.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])redbluffchamber\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4011482; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/22;) alert dns any any -> any any (msg: "MISP e23 [tlp:white] Domain truecryptrussia.ru"; dns.query; content:"truecryptrussia.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])truecryptrussia\.ru$/i"; classtype:trojan-activity; sid:4011751; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e23 [tlp:white] Outgoing HTTP Domain truecryptrussia.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"truecryptrussia.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])truecryptrussia\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4011752; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 87.106.44.200 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 87.106.44.200"; classtype:trojan-activity; sid:4011781; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 62.76.42.14 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 62.76.42.14"; classtype:trojan-activity; sid:4011791; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 94.242.199.78 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 94.242.199.78"; classtype:trojan-activity; sid:4011801; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 178.239.60.96 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 178.239.60.96"; classtype:trojan-activity; sid:4011811; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 84.234.71.215 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 84.234.71.215"; classtype:trojan-activity; sid:4011821; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 67.103.159.141 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 67.103.159.141"; classtype:trojan-activity; sid:4011831; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 62.76.184.245 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 62.76.184.245"; classtype:trojan-activity; sid:4011841; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 78.47.218.234 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 78.47.218.234"; classtype:trojan-activity; sid:4012771; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 95.86.129.92 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 95.86.129.92"; classtype:trojan-activity; sid:4012781; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 115.68.23.192 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 115.68.23.192"; classtype:trojan-activity; sid:4012791; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 67.18.208.92 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 67.18.208.92"; classtype:trojan-activity; sid:4012801; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 37.139.47.162 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 37.139.47.162"; classtype:trojan-activity; sid:4012811; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 212.227.137.245 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 212.227.137.245"; classtype:trojan-activity; sid:4012821; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 62.76.189.181 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 62.76.189.181"; classtype:trojan-activity; sid:4012831; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 83.169.20.47 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 83.169.20.47"; classtype:trojan-activity; sid:4012841; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 148.251.33.219 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 148.251.33.219"; classtype:trojan-activity; sid:4012851; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 98.129.238.97 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 98.129.238.97"; classtype:trojan-activity; sid:4012861; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 195.210.28.105 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 195.210.28.105"; classtype:trojan-activity; sid:4012871; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 198.136.24.155 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 198.136.24.155"; classtype:trojan-activity; sid:4012881; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 46.165.228.130 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 46.165.228.130"; classtype:trojan-activity; sid:4012891; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 192.154.97.239 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 192.154.97.239"; classtype:trojan-activity; sid:4012901; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 5.44.99.46 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 5.44.99.46"; classtype:trojan-activity; sid:4012911; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 188.240.46.1 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 188.240.46.1"; classtype:trojan-activity; sid:4012921; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 81.196.48.188 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 81.196.48.188"; classtype:trojan-activity; sid:4012931; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 74.54.206.162 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 74.54.206.162"; classtype:trojan-activity; sid:4012941; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 69.64.72.206 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 69.64.72.206"; classtype:trojan-activity; sid:4012951; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 74.208.68.243 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 74.208.68.243"; classtype:trojan-activity; sid:4012961; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 46.163.73.99 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 46.163.73.99"; classtype:trojan-activity; sid:4012971; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 193.34.144.63 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 193.34.144.63"; classtype:trojan-activity; sid:4012981; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 103.3.77.219 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 103.3.77.219"; classtype:trojan-activity; sid:4012991; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 119.59.105.221 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 119.59.105.221"; classtype:trojan-activity; sid:4013001; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 188.40.71.188 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 188.40.71.188"; classtype:trojan-activity; sid:4013011; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 188.40.71.137 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 188.40.71.137"; classtype:trojan-activity; sid:4013021; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 108.179.245.41 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 108.179.245.41"; classtype:trojan-activity; sid:4013031; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 64.40.101.43 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 64.40.101.43"; classtype:trojan-activity; sid:4013041; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 190.228.169.253 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 190.228.169.253"; classtype:trojan-activity; sid:4013051; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 194.15.126.123 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 194.15.126.123"; classtype:trojan-activity; sid:4013061; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert ip $HOME_NET any -> 188.127.249.19 any (msg: "MISP e23 [tlp:white] Outgoing To IP: 188.127.249.19"; classtype:trojan-activity; sid:4013071; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert dns any any -> any any (msg: "MISP e23 [tlp:white] Domain mntexpress.com"; dns.query; content:"mntexpress.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mntexpress\.com$/i"; classtype:trojan-activity; sid:4013081; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e23 [tlp:white] Outgoing HTTP Domain mntexpress.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mntexpress.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mntexpress\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4013082; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert dns any any -> any any (msg: "MISP e23 [tlp:white] Domain worldairpost.com"; dns.query; content:"worldairpost.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])worldairpost\.com$/i"; classtype:trojan-activity; sid:4013091; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e23 [tlp:white] Outgoing HTTP Domain worldairpost.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"worldairpost.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])worldairpost\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4013092; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert dns any any -> any any (msg: "MISP e23 [tlp:white] Domain worldairpost.net"; dns.query; content:"worldairpost.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])worldairpost\.net$/i"; classtype:trojan-activity; sid:4013101; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e23 [tlp:white] Outgoing HTTP Domain worldairpost.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"worldairpost.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])worldairpost\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4013102; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert dns any any -> any any (msg: "MISP e23 [tlp:white] Domain camprainbowgold.ru"; dns.query; content:"camprainbowgold.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])camprainbowgold\.ru$/i"; classtype:trojan-activity; sid:4013111; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e23 [tlp:white] Outgoing HTTP Domain camprainbowgold.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"camprainbowgold.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])camprainbowgold\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4013112; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert dns any any -> any any (msg: "MISP e23 [tlp:white] Domain poolwaterslide2011.ru"; dns.query; content:"poolwaterslide2011.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])poolwaterslide2011\.ru$/i"; classtype:trojan-activity; sid:4013121; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e23 [tlp:white] Outgoing HTTP Domain poolwaterslide2011.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"poolwaterslide2011.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])poolwaterslide2011\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4013122; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/23;) alert dns any any -> any any (msg: "MISP e24 [tlp:white] Domain weblogin-vxxxxxx.net"; dns.query; content:"weblogin-vxxxxxx.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])weblogin\-vxxxxxx\.net$/i"; classtype:trojan-activity; sid:4013161; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/24;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e24 [tlp:white] Outgoing HTTP Domain weblogin-vxxxxxx.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"weblogin-vxxxxxx.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])weblogin\-vxxxxxx\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4013162; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/24;) alert dns any any -> any any (msg: "MISP e24 [tlp:white] Domain linkedinmember.com"; dns.query; content:"linkedinmember.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])linkedinmember\.com$/i"; classtype:trojan-activity; sid:4013171; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/24;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e24 [tlp:white] Outgoing HTTP Domain linkedinmember.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"linkedinmember.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])linkedinmember\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4013172; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/24;) alert dns any any -> any any (msg: "MISP e24 [tlp:white] Domain auth-vxxxxxx.com"; dns.query; content:"auth-vxxxxxx.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])auth\-vxxxxxx\.com$/i"; classtype:trojan-activity; sid:4013181; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/24;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e24 [tlp:white] Outgoing HTTP Domain auth-vxxxxxx.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"auth-vxxxxxx.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])auth\-vxxxxxx\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4013182; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/24;) alert dns any any -> any any (msg: "MISP e24 [tlp:white] Domain 8800free.info"; dns.query; content:"8800free.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])8800free\.info$/i"; classtype:trojan-activity; sid:4013201; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/24;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e24 [tlp:white] Outgoing HTTP Domain 8800free.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"8800free.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])8800free\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4013202; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/24;) alert dns any any -> any any (msg: "MISP e24 [tlp:white] Domain vpn.mm523.net"; dns.query; content:"vpn.mm523.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])vpn\.mm523\.net$/i"; classtype:trojan-activity; sid:4013211; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/24;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e24 [tlp:white] Outgoing HTTP Domain vpn.mm523.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vpn.mm523.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vpn\.mm523\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4013212; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/24;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e24 [tlp:white] Outgoing URL http|3a|//download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf"; flow:to_server,established; http.header; content:"download01.norman.no"; fast_pattern; nocase; http.uri; content:"/documents/ThemanyfacesofGh0stRat.pdf"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4013261; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/24;) alert dns any any -> any any (msg: "MISP e24 [tlp:white] Domain vps.mm523.net"; dns.query; content:"vps.mm523.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])vps\.mm523\.net$/i"; classtype:trojan-activity; sid:4013271; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/24;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e24 [tlp:white] Outgoing HTTP Domain vps.mm523.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vps.mm523.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vps\.mm523\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4013272; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/24;) alert dns any any -> any any (msg: "MISP e24 [tlp:white] Domain gds520.com"; dns.query; content:"gds520.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])gds520\.com$/i"; classtype:trojan-activity; sid:4013281; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/24;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e24 [tlp:white] Outgoing HTTP Domain gds520.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gds520.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gds520\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4013282; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/24;) alert dns any any -> any any (msg: "MISP e24 [tlp:white] Domain mm523.net"; dns.query; content:"mm523.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])mm523\.net$/i"; classtype:trojan-activity; sid:4013291; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/24;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e24 [tlp:white] Outgoing HTTP Domain mm523.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mm523.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mm523\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4013292; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/24;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e24 [tlp:white] Outgoing URL http|3a|//www.rejetto.com/hfs"; flow:to_server,established; http.header; content:"www.rejetto.com"; fast_pattern; nocase; http.uri; content:"/hfs"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4013321; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/24;) alert dns any any -> any any (msg: "MISP e24 [tlp:white] Domain www.rejetto.com"; dns.query; content:"www.rejetto.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.rejetto\.com$/i"; classtype:trojan-activity; sid:4013331; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/24;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e24 [tlp:white] Outgoing HTTP Domain www.rejetto.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"www.rejetto.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.rejetto\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4013332; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/24;) alert dns any any -> any any (msg: "MISP e24 [tlp:white] Domain vps.xxxxx.net"; dns.query; content:"vps.xxxxx.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])vps\.xxxxx\.net$/i"; classtype:trojan-activity; sid:4013341; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/24;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e24 [tlp:white] Outgoing HTTP Domain vps.xxxxx.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vps.xxxxx.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vps\.xxxxx\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4013342; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/24;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e24 [tlp:white] Outgoing URL http|3a|//xiuxiu.web.meitu.com"; flow:to_server,established; http.header; content:"xiuxiu.web.meitu.com"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4013361; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/24;) alert dns any any -> any any (msg: "MISP e24 [tlp:white] Domain xiuxiu.web.meitu.com"; dns.query; content:"xiuxiu.web.meitu.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])xiuxiu\.web\.meitu\.com$/i"; classtype:trojan-activity; sid:4013371; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/24;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e24 [tlp:white] Outgoing HTTP Domain xiuxiu.web.meitu.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"xiuxiu.web.meitu.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])xiuxiu\.web\.meitu\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4013372; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/24;) alert ip $HOME_NET any -> 172.246.109.27 any (msg: "MISP e25 [tlp:white] Outgoing To IP: 172.246.109.27"; classtype:trojan-activity; sid:4013461; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/25;) alert dns any any -> any any (msg: "MISP e25 [tlp:white] Domain start-vedioing.net"; dns.query; content:"start-vedioing.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])start\-vedioing\.net$/i"; classtype:trojan-activity; sid:4013481; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/25;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e25 [tlp:white] Outgoing HTTP Domain start-vedioing.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"start-vedioing.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])start\-vedioing\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4013482; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/25;) alert dns any any -> any any (msg: "MISP e25 [tlp:white] Domain anywhere-staring.com"; dns.query; content:"anywhere-staring.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])anywhere\-staring\.com$/i"; classtype:trojan-activity; sid:4013501; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/25;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e25 [tlp:white] Outgoing HTTP Domain anywhere-staring.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"anywhere-staring.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])anywhere\-staring\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4013502; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/25;) alert ip $HOME_NET any -> 46.166.165.254 any (msg: "MISP e30 [tlp:white] Outgoing To IP: 46.166.165.254"; classtype:trojan-activity; sid:4019241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e30 [tlp:white] Outgoing URL newsumbrella.net/ne3s/lat3st/w0rld/systemupdateAPI.exe"; flow:to_server,established; http.uri; content:"newsumbrella.net/ne3s/lat3st/w0rld/systemupdateAPI.exe"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4019251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e30 [tlp:white] Outgoing URL newsumbrella.net/ne3s/file.exe"; flow:to_server,established; http.uri; content:"newsumbrella.net/ne3s/file.exe"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4019261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e30 [tlp:white] Outgoing URL newsumbrella.net/bla3k/extra7/systemupdateAPI.exe"; flow:to_server,established; http.uri; content:"newsumbrella.net/bla3k/extra7/systemupdateAPI.exe"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4019271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/30;) alert dns any any -> any any (msg: "MISP e27 [tlp:white] Domain doctorhandbook.com"; dns.query; content:"doctorhandbook.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])doctorhandbook\.com$/i"; classtype:trojan-activity; sid:4014231; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e27 [tlp:white] Outgoing HTTP Domain doctorhandbook.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"doctorhandbook.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])doctorhandbook\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4014232; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/27;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e27 [tlp:white] Outgoing URL https|3a|//twitter.com/1abBob52b"; tls.sni; content:"twitter.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4014241; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/27;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e27 [tlp:white] Outgoing URL http|3a|//www.doctorhandbook.com"; flow:to_server,established; http.header; content:"www.doctorhandbook.com"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4014261; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/27;) alert dns any any -> any any (msg: "MISP e27 [tlp:white] Domain www.doctorhandbook.com"; dns.query; content:"www.doctorhandbook.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.doctorhandbook\.com$/i"; classtype:trojan-activity; sid:4014311; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e27 [tlp:white] Outgoing HTTP Domain www.doctorhandbook.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"www.doctorhandbook.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.doctorhandbook\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4014312; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/27;) alert dns any any -> any any (msg: "MISP e28 [tlp:white] Domain h30026.drfx.chickenkiller.com"; dns.query; content:"h30026.drfx.chickenkiller.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])h30026\.drfx\.chickenkiller\.com$/i"; classtype:trojan-activity; sid:4014401; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/28;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e28 [tlp:white] Outgoing HTTP Domain h30026.drfx.chickenkiller.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"h30026.drfx.chickenkiller.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])h30026\.drfx\.chickenkiller\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4014402; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/28;) alert dns any any -> any any (msg: "MISP e28 [tlp:white] Domain chickenkiller.com"; dns.query; content:"chickenkiller.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])chickenkiller\.com$/i"; classtype:trojan-activity; sid:4014411; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/28;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e28 [tlp:white] Outgoing HTTP Domain chickenkiller.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"chickenkiller.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])chickenkiller\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4014412; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/28;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e28 [tlp:white] Outgoing URL http|3a|//jdk.20e8ad99287f7fc244651237cbe8292a.org"; flow:to_server,established; http.header; content:"jdk.20e8ad99287f7fc244651237cbe8292a.org"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4014421; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/28;) alert dns any any -> any any (msg: "MISP e28 [tlp:white] Domain jdk.20e8ad99287f7fc244651237cbe8292a.org"; dns.query; content:"jdk.20e8ad99287f7fc244651237cbe8292a.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])jdk\.20e8ad99287f7fc244651237cbe8292a\.org$/i"; classtype:trojan-activity; sid:4014431; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/28;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e28 [tlp:white] Outgoing HTTP Domain jdk.20e8ad99287f7fc244651237cbe8292a.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jdk.20e8ad99287f7fc244651237cbe8292a.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jdk\.20e8ad99287f7fc244651237cbe8292a\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4014432; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/28;) alert ip $HOME_NET any -> 46.183.217.132 any (msg: "MISP e28 [tlp:white] Outgoing To IP: 46.183.217.132"; classtype:trojan-activity; sid:4015161; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/28;) alert ip $HOME_NET any -> 46.165.237.75 any (msg: "MISP e28 [tlp:white] Outgoing To IP: 46.165.237.75"; classtype:trojan-activity; sid:4015171; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/28;) alert ip $HOME_NET any -> 217.23.3.112 any (msg: "MISP e28 [tlp:white] Outgoing To IP: 217.23.3.112"; classtype:trojan-activity; sid:4015181; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/28;) alert ip $HOME_NET any -> 178.162.197.9 any (msg: "MISP e28 [tlp:white] Outgoing To IP: 178.162.197.9"; classtype:trojan-activity; sid:4015191; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/28;) alert dns any any -> any any (msg: "MISP e28 [tlp:white] Domain ddosprotected.eu"; dns.query; content:"ddosprotected.eu"; nocase; pcre: "/(^|[^A-Za-z0-9-])ddosprotected\.eu$/i"; classtype:trojan-activity; sid:4015201; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/28;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e28 [tlp:white] Outgoing HTTP Domain ddosprotected.eu"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ddosprotected.eu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ddosprotected\.eu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015202; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/28;) alert dns any any -> any any (msg: "MISP e28 [tlp:white] Domain drfx.chickenkiller.com"; dns.query; content:"drfx.chickenkiller.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])drfx\.chickenkiller\.com$/i"; classtype:trojan-activity; sid:4015211; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/28;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e28 [tlp:white] Outgoing HTTP Domain drfx.chickenkiller.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"drfx.chickenkiller.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])drfx\.chickenkiller\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015212; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/28;) alert dns any any -> any any (msg: "MISP e28 [tlp:white] Domain digitalinsight-ltd.com"; dns.query; content:"digitalinsight-ltd.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])digitalinsight\-ltd\.com$/i"; classtype:trojan-activity; sid:4015221; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/28;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e28 [tlp:white] Outgoing HTTP Domain digitalinsight-ltd.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"digitalinsight-ltd.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])digitalinsight\-ltd\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015222; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/28;) alert dns any any -> any any (msg: "MISP e28 [tlp:white] Domain clust12-akmai.net"; dns.query; content:"clust12-akmai.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])clust12\-akmai\.net$/i"; classtype:trojan-activity; sid:4015231; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/28;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e28 [tlp:white] Outgoing HTTP Domain clust12-akmai.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"clust12-akmai.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])clust12\-akmai\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015232; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/28;) alert dns any any -> any any (msg: "MISP e28 [tlp:white] Domain jdk-update.com"; dns.query; content:"jdk-update.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])jdk\-update\.com$/i"; classtype:trojan-activity; sid:4015241; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/28;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e28 [tlp:white] Outgoing HTTP Domain jdk-update.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jdk-update.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jdk\-update\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015242; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/28;) alert dns any any -> any any (msg: "MISP e28 [tlp:white] Domain corp-aapl.com"; dns.query; content:"corp-aapl.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])corp\-aapl\.com$/i"; classtype:trojan-activity; sid:4015251; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/28;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e28 [tlp:white] Outgoing HTTP Domain corp-aapl.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"corp-aapl.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])corp\-aapl\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015252; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/28;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain www.polarroute.com"; dns.query; content:"www.polarroute.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.polarroute\.com$/i"; classtype:trojan-activity; sid:4015341; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain www.polarroute.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"www.polarroute.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.polarroute\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015342; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain citrix.vipreclod.com"; dns.query; content:"citrix.vipreclod.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])citrix\.vipreclod\.com$/i"; classtype:trojan-activity; sid:4015351; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain citrix.vipreclod.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"citrix.vipreclod.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])citrix\.vipreclod\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015352; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain capstoneturbine.com"; dns.query; content:"capstoneturbine.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])capstoneturbine\.com$/i"; classtype:trojan-activity; sid:4015361; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain capstoneturbine.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"capstoneturbine.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])capstoneturbine\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015362; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain web.viprclod.com"; dns.query; content:"web.viprclod.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])web\.viprclod\.com$/i"; classtype:trojan-activity; sid:4015371; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain web.viprclod.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"web.viprclod.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])web\.viprclod\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015372; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain webvipr.clod.com"; dns.query; content:"webvipr.clod.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])webvipr\.clod\.com$/i"; classtype:trojan-activity; sid:4015381; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain webvipr.clod.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"webvipr.clod.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])webvipr\.clod\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015382; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain viprclod.com"; dns.query; content:"viprclod.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])viprclod\.com$/i"; classtype:trojan-activity; sid:4015391; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain viprclod.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"viprclod.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])viprclod\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015392; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e29 [tlp:white] Source Email Address: todaymoon321@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"todaymoon321@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4015401; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain oa.ameteksen.com"; dns.query; content:"oa.ameteksen.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])oa\.ameteksen\.com$/i"; classtype:trojan-activity; sid:4015421; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain oa.ameteksen.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"oa.ameteksen.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])oa\.ameteksen\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015422; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain ameteksen.com"; dns.query; content:"ameteksen.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ameteksen\.com$/i"; classtype:trojan-activity; sid:4015431; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain ameteksen.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ameteksen.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ameteksen\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015432; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain ameteksensors.com"; dns.query; content:"ameteksensors.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ameteksensors\.com$/i"; classtype:trojan-activity; sid:4015461; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain ameteksensors.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ameteksensors.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ameteksensors\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015462; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain ametek.com"; dns.query; content:"ametek.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ametek\.com$/i"; classtype:trojan-activity; sid:4015471; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain ametek.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ametek.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ametek\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015472; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e29 [tlp:white] Source Email Address: dobbin.pacheco@aol.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"dobbin.pacheco@aol.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4015481; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain asso.net"; dns.query; content:"asso.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])asso\.net$/i"; classtype:trojan-activity; sid:4015501; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain asso.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"asso.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])asso\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015502; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain gifas.assso.net"; dns.query; content:"gifas.assso.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])gifas\.assso\.net$/i"; classtype:trojan-activity; sid:4015511; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain gifas.assso.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gifas.assso.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gifas\.assso\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015512; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain gifas.asso.fr"; dns.query; content:"gifas.asso.fr"; nocase; pcre: "/(^|[^A-Za-z0-9-])gifas\.asso\.fr$/i"; classtype:trojan-activity; sid:4015521; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain gifas.asso.fr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gifas.asso.fr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gifas\.asso\.fr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015522; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain gifas.asso.net"; dns.query; content:"gifas.asso.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])gifas\.asso\.net$/i"; classtype:trojan-activity; sid:4015531; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain gifas.asso.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gifas.asso.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gifas\.asso\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015532; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain ssl-vait.com"; dns.query; content:"ssl-vait.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ssl\-vait\.com$/i"; classtype:trojan-activity; sid:4015541; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain ssl-vait.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ssl-vait.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ssl\-vait\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015542; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain ssl-vaeit.com"; dns.query; content:"ssl-vaeit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ssl\-vaeit\.com$/i"; classtype:trojan-activity; sid:4015551; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain ssl-vaeit.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ssl-vaeit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ssl\-vaeit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015552; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain sharepoint-vaeit.com"; dns.query; content:"sharepoint-vaeit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sharepoint\-vaeit\.com$/i"; classtype:trojan-activity; sid:4015561; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain sharepoint-vaeit.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sharepoint-vaeit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sharepoint\-vaeit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015562; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain we11point.com"; dns.query; content:"we11point.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])we11point\.com$/i"; classtype:trojan-activity; sid:4015571; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain we11point.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"we11point.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])we11point\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015572; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain healthslie.com"; dns.query; content:"healthslie.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])healthslie\.com$/i"; classtype:trojan-activity; sid:4015581; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain healthslie.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"healthslie.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])healthslie\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015582; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain prennera.com"; dns.query; content:"prennera.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])prennera\.com$/i"; classtype:trojan-activity; sid:4015591; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain prennera.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"prennera.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])prennera\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015592; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain topsec2014.com"; dns.query; content:"topsec2014.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])topsec2014\.com$/i"; classtype:trojan-activity; sid:4015601; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain topsec2014.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"topsec2014.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])topsec2014\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015602; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain googese.com"; dns.query; content:"googese.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])googese\.com$/i"; classtype:trojan-activity; sid:4015621; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain googese.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"googese.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])googese\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015622; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e29 [tlp:white] Source Email Address: li2384826402@yahoo.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"li2384826402@yahoo.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4015641; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e29 [tlp:white] Source Email Address: e59e@qq.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"e59e@qq.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4015651; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e29 [tlp:white] Source Email Address: allbody@googese.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"allbody@googese.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4015661; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e29 [tlp:white] Source Email Address: rgreeyfue76gj@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"rgreeyfue76gj@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4015671; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e29 [tlp:white] Source Email Address: topsec_2014@163.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"topsec_2014@163.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4015681; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert ip $HOME_NET any -> 192.199.254.126 any (msg: "MISP e29 [tlp:white] Outgoing To IP: 192.199.254.126"; classtype:trojan-activity; sid:4015691; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain extcitrix.we11point.com"; dns.query; content:"extcitrix.we11point.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])extcitrix\.we11point\.com$/i"; classtype:trojan-activity; sid:4015701; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain extcitrix.we11point.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"extcitrix.we11point.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])extcitrix\.we11point\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015702; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e29 [tlp:white] Source Email Address: topsec2014@163.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"topsec2014@163.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4015711; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain asconline.we11point.com"; dns.query; content:"asconline.we11point.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])asconline\.we11point\.com$/i"; classtype:trojan-activity; sid:4015741; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain asconline.we11point.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"asconline.we11point.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])asconline\.we11point\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015742; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain assso.net"; dns.query; content:"assso.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])assso\.net$/i"; classtype:trojan-activity; sid:4015751; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain assso.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"assso.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])assso\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015752; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain capstoneturbine.cechire.com"; dns.query; content:"capstoneturbine.cechire.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])capstoneturbine\.cechire\.com$/i"; classtype:trojan-activity; sid:4015761; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain capstoneturbine.cechire.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"capstoneturbine.cechire.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])capstoneturbine\.cechire\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015762; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain caref1rst.com"; dns.query; content:"caref1rst.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])caref1rst\.com$/i"; classtype:trojan-activity; sid:4015771; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain caref1rst.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"caref1rst.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])caref1rst\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015772; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain careflrst.com"; dns.query; content:"careflrst.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])careflrst\.com$/i"; classtype:trojan-activity; sid:4015781; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain careflrst.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"careflrst.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])careflrst\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015782; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain facefuture.us"; dns.query; content:"facefuture.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])facefuture\.us$/i"; classtype:trojan-activity; sid:4015791; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain facefuture.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"facefuture.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])facefuture\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015792; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain gifas.blogsite.org"; dns.query; content:"gifas.blogsite.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])gifas\.blogsite\.org$/i"; classtype:trojan-activity; sid:4015801; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain gifas.blogsite.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gifas.blogsite.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gifas\.blogsite\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015802; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain gifas.cechire.com"; dns.query; content:"gifas.cechire.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])gifas\.cechire\.com$/i"; classtype:trojan-activity; sid:4015811; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain gifas.cechire.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gifas.cechire.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gifas\.cechire\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015812; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain hrsolutions.we11point.com"; dns.query; content:"hrsolutions.we11point.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])hrsolutions\.we11point\.com$/i"; classtype:trojan-activity; sid:4015821; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain hrsolutions.we11point.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hrsolutions.we11point.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hrsolutions\.we11point\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015822; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain icbcqsz.com"; dns.query; content:"icbcqsz.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])icbcqsz\.com$/i"; classtype:trojan-activity; sid:4015831; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain icbcqsz.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"icbcqsz.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])icbcqsz\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015832; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain me.we11point.com"; dns.query; content:"me.we11point.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])me\.we11point\.com$/i"; classtype:trojan-activity; sid:4015841; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain me.we11point.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"me.we11point.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])me\.we11point\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015842; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain mycitrix.we11point.com"; dns.query; content:"mycitrix.we11point.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mycitrix\.we11point\.com$/i"; classtype:trojan-activity; sid:4015851; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain mycitrix.we11point.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mycitrix.we11point.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mycitrix\.we11point\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015852; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain myhr.we11point.com"; dns.query; content:"myhr.we11point.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])myhr\.we11point\.com$/i"; classtype:trojan-activity; sid:4015861; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain myhr.we11point.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"myhr.we11point.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])myhr\.we11point\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015862; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain oa.technical-requre.com"; dns.query; content:"oa.technical-requre.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])oa\.technical\-requre\.com$/i"; classtype:trojan-activity; sid:4015871; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain oa.technical-requre.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"oa.technical-requre.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])oa\.technical\-requre\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015872; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain oa.trustneser.com"; dns.query; content:"oa.trustneser.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])oa\.trustneser\.com$/i"; classtype:trojan-activity; sid:4015881; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain oa.trustneser.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"oa.trustneser.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])oa\.trustneser\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015882; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain polarroute.com"; dns.query; content:"polarroute.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])polarroute\.com$/i"; classtype:trojan-activity; sid:4015891; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain polarroute.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"polarroute.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])polarroute\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015892; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain savmpet.com"; dns.query; content:"savmpet.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])savmpet\.com$/i"; classtype:trojan-activity; sid:4015901; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain savmpet.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"savmpet.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])savmpet\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015902; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain sinmoung.com"; dns.query; content:"sinmoung.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sinmoung\.com$/i"; classtype:trojan-activity; sid:4015911; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain sinmoung.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sinmoung.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sinmoung\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015912; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain vipreclod.com"; dns.query; content:"vipreclod.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])vipreclod\.com$/i"; classtype:trojan-activity; sid:4015921; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain vipreclod.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vipreclod.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vipreclod\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015922; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain vpn.we11point.com"; dns.query; content:"vpn.we11point.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])vpn\.we11point\.com$/i"; classtype:trojan-activity; sid:4015931; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain vpn.we11point.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vpn.we11point.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vpn\.we11point\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015932; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain webmail.kaspersyk.com"; dns.query; content:"webmail.kaspersyk.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])webmail\.kaspersyk\.com$/i"; classtype:trojan-activity; sid:4015941; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain webmail.kaspersyk.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"webmail.kaspersyk.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])webmail\.kaspersyk\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015942; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain webmail.vipreclod.com"; dns.query; content:"webmail.vipreclod.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])webmail\.vipreclod\.com$/i"; classtype:trojan-activity; sid:4015951; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain webmail.vipreclod.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"webmail.vipreclod.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])webmail\.vipreclod\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015952; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain wiki-vaeit.com"; dns.query; content:"wiki-vaeit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])wiki\-vaeit\.com$/i"; classtype:trojan-activity; sid:4015961; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain wiki-vaeit.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wiki-vaeit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wiki\-vaeit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015962; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain www.we11point.com"; dns.query; content:"www.we11point.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.we11point\.com$/i"; classtype:trojan-activity; sid:4015971; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain www.we11point.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"www.we11point.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.we11point\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015972; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e29 [tlp:white] Domain ysims.com"; dns.query; content:"ysims.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ysims\.com$/i"; classtype:trojan-activity; sid:4015981; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e29 [tlp:white] Outgoing HTTP Domain ysims.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ysims.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ysims\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4015982; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/29;) alert dns any any -> any any (msg: "MISP e31 [tlp:white] Domain melon25.ru"; dns.query; content:"melon25.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])melon25\.ru$/i"; classtype:trojan-activity; sid:4019281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/31;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e31 [tlp:white] Outgoing HTTP Domain melon25.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"melon25.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])melon25\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4019282; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/31;) alert ip $HOME_NET any -> 81.94.205.226 any (msg: "MISP e31 [tlp:white] Outgoing To IP: 81.94.205.226"; classtype:trojan-activity; sid:4019291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/31;) alert ip $HOME_NET any -> 104.219.250.16 any (msg: "MISP e31 [tlp:white] Outgoing To IP: 104.219.250.16"; classtype:trojan-activity; sid:4019301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/31;) alert http $HOME_NET any -> 52.24.219.3 $HTTP_PORTS (msg: "MISP e31 [tlp:white] Outgoing URL http|3a|//52.24.219.3/action.php"; flow:to_server,established; http.header; content:"52.24.219.3"; fast_pattern; nocase; http.uri; content:"/action.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4019311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/31;) alert http $HOME_NET any -> 192.227.137.154 $HTTP_PORTS (msg: "MISP e31 [tlp:white] Outgoing URL http|3a|//192.227.137.154/request.php"; flow:to_server,established; http.header; content:"192.227.137.154"; fast_pattern; nocase; http.uri; content:"/request.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4019321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/31;) alert http $HOME_NET any -> 23.227.163.110 $HTTP_PORTS (msg: "MISP e31 [tlp:white] Outgoing URL http|3a|//23.227.163.110/locker.php"; flow:to_server,established; http.header; content:"23.227.163.110"; fast_pattern; nocase; http.uri; content:"/locker.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4019331; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/31;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e31 [tlp:white] Outgoing URL http|3a|//market155.ru/Install.apk"; flow:to_server,established; http.header; content:"market155.ru"; fast_pattern; nocase; http.uri; content:"/Install.apk"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4019341; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/31;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e31 [tlp:white] Outgoing URL http|3a|//illuminatework.ru/Install.apk"; flow:to_server,established; http.header; content:"illuminatework.ru"; fast_pattern; nocase; http.uri; content:"/Install.apk"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4019351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/31;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e31 [tlp:white] Outgoing URL http|3a|//yetiathome15.ru/Install.apk"; flow:to_server,established; http.header; content:"yetiathome15.ru"; fast_pattern; nocase; http.uri; content:"/Install.apk"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4019361; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/31;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e31 [tlp:white] Outgoing URL http|3a|//leeroywork3.co/install.apk"; flow:to_server,established; http.header; content:"leeroywork3.co"; fast_pattern; nocase; http.uri; content:"/install.apk"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4019371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/31;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e31 [tlp:white] Outgoing URL http|3a|//morning3.ru/install.apk"; flow:to_server,established; http.header; content:"morning3.ru"; fast_pattern; nocase; http.uri; content:"/install.apk"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4019381; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/31;) alert ip $HOME_NET any -> 109.234.38.35 any (msg: "MISP e32 [tlp:white] Outgoing To IP: 109.234.38.35"; classtype:trojan-activity; sid:4019611; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/32;) alert ip $HOME_NET any -> 173.214.183.81 any (msg: "MISP e32 [tlp:white] Outgoing To IP: 173.214.183.81"; classtype:trojan-activity; sid:4019621; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/32;) alert ip $HOME_NET any -> 193.124.181.169 any (msg: "MISP e32 [tlp:white] Outgoing To IP: 193.124.181.169"; classtype:trojan-activity; sid:4019631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/32;) alert ip $HOME_NET any -> 195.154.241.208 any (msg: "MISP e32 [tlp:white] Outgoing To IP: 195.154.241.208"; classtype:trojan-activity; sid:4019641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/32;) alert ip $HOME_NET any -> 195.64.154.14 any (msg: "MISP e32 [tlp:white] Outgoing To IP: 195.64.154.14"; classtype:trojan-activity; sid:4019651; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/32;) alert ip $HOME_NET any -> 46.4.239.76 any (msg: "MISP e32 [tlp:white] Outgoing To IP: 46.4.239.76"; classtype:trojan-activity; sid:4019661; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/32;) alert ip $HOME_NET any -> 66.133.129.5 any (msg: "MISP e32 [tlp:white] Outgoing To IP: 66.133.129.5"; classtype:trojan-activity; sid:4019671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/32;) alert ip $HOME_NET any -> 86.104.134.144 any (msg: "MISP e32 [tlp:white] Outgoing To IP: 86.104.134.144"; classtype:trojan-activity; sid:4019681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/32;) alert ip $HOME_NET any -> 91.195.12.185 any (msg: "MISP e32 [tlp:white] Outgoing To IP: 91.195.12.185"; classtype:trojan-activity; sid:4019691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/32;) alert dns any any -> any any (msg: "MISP e32 [tlp:white] Domain iynus.net"; dns.query; content:"iynus.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])iynus\.net$/i"; classtype:trojan-activity; sid:4019701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/32;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e32 [tlp:white] Outgoing HTTP Domain iynus.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"iynus.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])iynus\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4019702; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/32;) alert dns any any -> any any (msg: "MISP e32 [tlp:white] Domain www.iglobali.com"; dns.query; content:"www.iglobali.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.iglobali\.com$/i"; classtype:trojan-activity; sid:4019711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/32;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e32 [tlp:white] Outgoing HTTP Domain www.iglobali.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"www.iglobali.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.iglobali\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4019712; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/32;) alert dns any any -> any any (msg: "MISP e32 [tlp:white] Domain www.jesusdenazaret.com.ve"; dns.query; content:"www.jesusdenazaret.com.ve"; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.jesusdenazaret\.com\.ve$/i"; classtype:trojan-activity; sid:4019721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/32;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e32 [tlp:white] Outgoing HTTP Domain www.jesusdenazaret.com.ve"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"www.jesusdenazaret.com.ve"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.jesusdenazaret\.com\.ve[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4019722; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/32;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e32 [tlp:white] Outgoing URL www.southlife.church"; flow:to_server,established; http.uri; content:"www.southlife.church"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4019731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/32;) alert dns any any -> any any (msg: "MISP e32 [tlp:white] Domain www.villaggio.airwave.at"; dns.query; content:"www.villaggio.airwave.at"; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.villaggio\.airwave\.at$/i"; classtype:trojan-activity; sid:4019741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/32;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e32 [tlp:white] Outgoing HTTP Domain www.villaggio.airwave.at"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"www.villaggio.airwave.at"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.villaggio\.airwave\.at[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4019742; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/32;) alert dns any any -> any any (msg: "MISP e33 [tlp:white] Domain azureon-line.com"; dns.query; content:"azureon-line.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])azureon\-line\.com$/i"; classtype:trojan-activity; sid:4021481; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/33;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e33 [tlp:white] Outgoing HTTP Domain azureon-line.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"azureon-line.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])azureon\-line\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4021482; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/33;) alert ip $HOME_NET any -> 198.105.125.74 any (msg: "MISP e33 [tlp:white] Outgoing To IP: 198.105.125.74"; classtype:trojan-activity; sid:4021491; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/33;) alert dns any any -> any any (msg: "MISP e33 [tlp:white] Domain mozilla-plugins.com"; dns.query; content:"mozilla-plugins.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mozilla\-plugins\.com$/i"; classtype:trojan-activity; sid:4021501; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/33;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e33 [tlp:white] Outgoing HTTP Domain mozilla-plugins.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mozilla-plugins.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mozilla\-plugins\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4021502; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/33;) alert dns any any -> any any (msg: "MISP e33 [tlp:white] Domain mozillaplagins.com"; dns.query; content:"mozillaplagins.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mozillaplagins\.com$/i"; classtype:trojan-activity; sid:4021511; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/33;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e33 [tlp:white] Outgoing HTTP Domain mozillaplagins.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mozillaplagins.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mozillaplagins\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4021512; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/33;) alert dns any any -> any any (msg: "MISP e34 [tlp:white] Domain sk2.touchpadz.com"; dns.query; content:"sk2.touchpadz.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sk2\.touchpadz\.com$/i"; classtype:trojan-activity; sid:4021521; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/34;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e34 [tlp:white] Outgoing HTTP Domain sk2.touchpadz.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sk2.touchpadz.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sk2\.touchpadz\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4021522; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/34;) alert dns any any -> any any (msg: "MISP e34 [tlp:white] Domain stat.touchpadz.com"; dns.query; content:"stat.touchpadz.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])stat\.touchpadz\.com$/i"; classtype:trojan-activity; sid:4021531; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/34;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e34 [tlp:white] Outgoing HTTP Domain stat.touchpadz.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"stat.touchpadz.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])stat\.touchpadz\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4021532; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/34;) alert dns any any -> any any (msg: "MISP e34 [tlp:white] Domain bat.touchpadz.com"; dns.query; content:"bat.touchpadz.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bat\.touchpadz\.com$/i"; classtype:trojan-activity; sid:4021541; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/34;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e34 [tlp:white] Outgoing HTTP Domain bat.touchpadz.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bat.touchpadz.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bat\.touchpadz\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4021542; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/34;) alert dns any any -> any any (msg: "MISP e34 [tlp:white] Domain pages.touchpadz.com"; dns.query; content:"pages.touchpadz.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pages\.touchpadz\.com$/i"; classtype:trojan-activity; sid:4021551; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/34;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e34 [tlp:white] Outgoing HTTP Domain pages.touchpadz.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pages.touchpadz.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pages\.touchpadz\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4021552; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/34;) alert ip $HOME_NET any -> 5.79.83.27 any (msg: "MISP e34 [tlp:white] Outgoing To IP: 5.79.83.27"; classtype:trojan-activity; sid:4021561; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/34;) alert ip $HOME_NET any -> 37.139.47.183 any (msg: "MISP e34 [tlp:white] Outgoing To IP: 37.139.47.183"; classtype:trojan-activity; sid:4021571; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/34;) alert ip $HOME_NET any -> 62.76.41.190 any (msg: "MISP e34 [tlp:white] Outgoing To IP: 62.76.41.190"; classtype:trojan-activity; sid:4021581; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/34;) alert ip $HOME_NET any -> 62.76.186.235 any (msg: "MISP e34 [tlp:white] Outgoing To IP: 62.76.186.235"; classtype:trojan-activity; sid:4021591; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/34;) alert ip $HOME_NET any -> 202.68.226.59 any (msg: "MISP e35 [tlp:white] Outgoing To IP: 202.68.226.59"; classtype:trojan-activity; sid:4021601; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/35;) alert ip $HOME_NET any -> 173.254.236.11 any (msg: "MISP e36 [tlp:white] Outgoing To IP: 173.254.236.11"; classtype:trojan-activity; sid:4021611; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/36;) alert ip $HOME_NET any -> 173.254.236.19 any (msg: "MISP e36 [tlp:white] Outgoing To IP: 173.254.236.19"; classtype:trojan-activity; sid:4021621; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/36;) alert ip $HOME_NET any -> 173.254.236.26 any (msg: "MISP e36 [tlp:white] Outgoing To IP: 173.254.236.26"; classtype:trojan-activity; sid:4021631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/36;) alert ip $HOME_NET any -> 173.254.236.55 any (msg: "MISP e36 [tlp:white] Outgoing To IP: 173.254.236.55"; classtype:trojan-activity; sid:4021641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/36;) alert ip $HOME_NET any -> 173.254.236.97 any (msg: "MISP e36 [tlp:white] Outgoing To IP: 173.254.236.97"; classtype:trojan-activity; sid:4021661; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/36;) alert dns any any -> any any (msg: "MISP e36 [tlp:white] Domain myss.basec.cc"; dns.query; content:"myss.basec.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-])myss\.basec\.cc$/i"; classtype:trojan-activity; sid:4021671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/36;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e36 [tlp:white] Outgoing HTTP Domain myss.basec.cc"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"myss.basec.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])myss\.basec\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4021672; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/36;) alert ip $HOME_NET any -> 122.114.124.26 any (msg: "MISP e36 [tlp:white] Outgoing To IP: 122.114.124.26"; classtype:trojan-activity; sid:4021691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/36;) alert dns any any -> any any (msg: "MISP e36 [tlp:white] Domain balei.f3322.org"; dns.query; content:"balei.f3322.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])balei\.f3322\.org$/i"; classtype:trojan-activity; sid:4021731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/36;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e36 [tlp:white] Outgoing HTTP Domain balei.f3322.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"balei.f3322.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])balei\.f3322\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4021732; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/36;) alert http $HOME_NET any -> 78.47.198.134 $HTTP_PORTS (msg: "MISP e37 [tlp:white] Outgoing URL http|3a|//78.47.198.134/1.exe"; flow:to_server,established; http.header; content:"78.47.198.134"; fast_pattern; nocase; http.uri; content:"/1.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4021741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/37;) alert ip $HOME_NET any -> 78.47.198.134 any (msg: "MISP e37 [tlp:white] Outgoing To IP: 78.47.198.134"; classtype:trojan-activity; sid:4021751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/37;) alert http $HOME_NET any -> 78.47.198.134 $HTTP_PORTS (msg: "MISP e37 [tlp:white] Outgoing URL http|3a|//78.47.198.134/header/m.tx"; flow:to_server,established; http.header; content:"78.47.198.134"; fast_pattern; nocase; http.uri; content:"/header/m.tx"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4021761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/37;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e37 [tlp:white] Outgoing URL http|3a|//helloguysqq.su/85.exe"; flow:to_server,established; http.header; content:"helloguysqq.su"; fast_pattern; nocase; http.uri; content:"/85.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4021771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/37;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e37 [tlp:white] Outgoing URL http|3a|//sowhatsupwithitff.com/85.exe"; flow:to_server,established; http.header; content:"sowhatsupwithitff.com"; fast_pattern; nocase; http.uri; content:"/85.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4021781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/37;) alert http $HOME_NET any -> 78.47.198.134 $HTTP_PORTS (msg: "MISP e37 [tlp:white] Outgoing URL http|3a|//78.47.198.134/1.zip"; flow:to_server,established; http.header; content:"78.47.198.134"; fast_pattern; nocase; http.uri; content:"/1.zip"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4021791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/37;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e37 [tlp:white] Outgoing URL http|3a|//biocarbon.com.ec/wp-content/uploads/bstr.php"; flow:to_server,established; http.header; content:"biocarbon.com.ec"; fast_pattern; nocase; http.uri; content:"/wp-content/uploads/bstr.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4021801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/37;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e37 [tlp:white] Outgoing URL http|3a|//imagescroll.com/cgi-bin/Templates/bstr.php"; flow:to_server,established; http.header; content:"imagescroll.com"; fast_pattern; nocase; http.uri; content:"/cgi-bin/Templates/bstr.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4021811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/37;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e37 [tlp:white] Outgoing URL http|3a|//music.mbsaeger.com/music/Glee/bstr.php"; flow:to_server,established; http.header; content:"music.mbsaeger.com"; fast_pattern; nocase; http.uri; content:"/music/Glee/bstr.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4021821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/37;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e37 [tlp:white] Outgoing URL http|3a|//stacon.eu/bstr.php"; flow:to_server,established; http.header; content:"stacon.eu"; fast_pattern; nocase; http.uri; content:"/bstr.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4021831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/37;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e37 [tlp:white] Outgoing URL http|3a|//surrogacyandadoption.com/bstr.php"; flow:to_server,established; http.header; content:"surrogacyandadoption.com"; fast_pattern; nocase; http.uri; content:"/bstr.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4021841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/37;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e37 [tlp:white] Outgoing URL http|3a|//worldisonefamily.info/zz/libraries/bstr.php"; flow:to_server,established; http.header; content:"worldisonefamily.info"; fast_pattern; nocase; http.uri; content:"/zz/libraries/bstr.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4021851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/37;) alert ip $HOME_NET any -> 212.71.254.212 any (msg: "MISP e38 [tlp:white] Outgoing To IP: 212.71.254.212"; classtype:trojan-activity; sid:4021891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/38;) alert dns any any -> any any (msg: "MISP e39 [tlp:white] Domain www.kiwitemplates.com"; dns.query; content:"www.kiwitemplates.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.kiwitemplates\.com$/i"; classtype:trojan-activity; sid:4021911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/39;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e39 [tlp:white] Outgoing HTTP Domain www.kiwitemplates.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"www.kiwitemplates.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.kiwitemplates\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4021912; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/39;) alert ip $HOME_NET any -> 185.46.8.131 any (msg: "MISP e39 [tlp:white] Outgoing To IP: 185.46.8.131"; classtype:trojan-activity; sid:4021921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/39;) alert dns any any -> any any (msg: "MISP e39 [tlp:white] Domain vuotando-tdiff.nyraclub.com"; dns.query; content:"vuotando-tdiff.nyraclub.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])vuotando\-tdiff\.nyraclub\.com$/i"; classtype:trojan-activity; sid:4021931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/39;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e39 [tlp:white] Outgoing HTTP Domain vuotando-tdiff.nyraclub.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vuotando-tdiff.nyraclub.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vuotando\-tdiff\.nyraclub\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4021932; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/39;) alert ip $HOME_NET any -> 194.228.3.204 any (msg: "MISP e39 [tlp:white] Outgoing To IP: 194.228.3.204"; classtype:trojan-activity; sid:4021941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/39;) alert dns any any -> any any (msg: "MISP e39 [tlp:white] Domain opravnatramvaji.cz"; dns.query; content:"opravnatramvaji.cz"; nocase; pcre: "/(^|[^A-Za-z0-9-])opravnatramvaji\.cz$/i"; classtype:trojan-activity; sid:4021951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/39;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e39 [tlp:white] Outgoing HTTP Domain opravnatramvaji.cz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"opravnatramvaji.cz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])opravnatramvaji\.cz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4021952; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/39;) alert ip $HOME_NET any -> 93.171.217.56 any (msg: "MISP e39 [tlp:white] Outgoing To IP: 93.171.217.56"; classtype:trojan-activity; sid:4021961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/39;) alert dns any any -> any any (msg: "MISP e39 [tlp:white] Domain img.zolotcekatya.info"; dns.query; content:"img.zolotcekatya.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])img\.zolotcekatya\.info$/i"; classtype:trojan-activity; sid:4021971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/39;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e39 [tlp:white] Outgoing HTTP Domain img.zolotcekatya.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"img.zolotcekatya.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])img\.zolotcekatya\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4021972; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/39;) alert ip $HOME_NET any -> 185.46.11.205 any (msg: "MISP e39 [tlp:white] Outgoing To IP: 185.46.11.205"; classtype:trojan-activity; sid:4021981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/39;) alert dns any any -> any any (msg: "MISP e39 [tlp:white] Domain gil.noglutendairysugar.com"; dns.query; content:"gil.noglutendairysugar.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])gil\.noglutendairysugar\.com$/i"; classtype:trojan-activity; sid:4021991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/39;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e39 [tlp:white] Outgoing HTTP Domain gil.noglutendairysugar.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gil.noglutendairysugar.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gil\.noglutendairysugar\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4021992; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/39;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e40 [tlp:white] Outgoing URL lclebb6kvohlkcml.onion.link"; flow:to_server,established; http.uri; content:"lclebb6kvohlkcml.onion.link"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4022051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/40;) alert dns any any -> any any (msg: "MISP e40 [tlp:white] Domain lclebb6kvohlkcml.onion.nu"; dns.query; content:"lclebb6kvohlkcml.onion.nu"; nocase; pcre: "/(^|[^A-Za-z0-9-])lclebb6kvohlkcml\.onion\.nu$/i"; classtype:trojan-activity; sid:4022061; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/40;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e40 [tlp:white] Outgoing HTTP Domain lclebb6kvohlkcml.onion.nu"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lclebb6kvohlkcml.onion.nu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lclebb6kvohlkcml\.onion\.nu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4022062; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/40;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e40 [tlp:white] Outgoing URL bmacyzmea723xyaz.onion.link"; flow:to_server,established; http.uri; content:"bmacyzmea723xyaz.onion.link"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4022071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/40;) alert dns any any -> any any (msg: "MISP e40 [tlp:white] Domain bmacyzmea723xyaz.onion.nu"; dns.query; content:"bmacyzmea723xyaz.onion.nu"; nocase; pcre: "/(^|[^A-Za-z0-9-])bmacyzmea723xyaz\.onion\.nu$/i"; classtype:trojan-activity; sid:4022081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/40;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e40 [tlp:white] Outgoing HTTP Domain bmacyzmea723xyaz.onion.nu"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bmacyzmea723xyaz.onion.nu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bmacyzmea723xyaz\.onion\.nu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4022082; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/40;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e40 [tlp:white] Outgoing URL nejdtkok7oz5kjoc.onion.link"; flow:to_server,established; http.uri; content:"nejdtkok7oz5kjoc.onion.link"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4022091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/40;) alert dns any any -> any any (msg: "MISP e40 [tlp:white] Domain nejdtkok7oz5kjoc.onion.nu"; dns.query; content:"nejdtkok7oz5kjoc.onion.nu"; nocase; pcre: "/(^|[^A-Za-z0-9-])nejdtkok7oz5kjoc\.onion\.nu$/i"; classtype:trojan-activity; sid:4022101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/40;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e40 [tlp:white] Outgoing HTTP Domain nejdtkok7oz5kjoc.onion.nu"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nejdtkok7oz5kjoc.onion.nu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nejdtkok7oz5kjoc\.onion\.nu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4022102; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/40;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e41 [tlp:white] Outgoing URL http|3a|//raspberry(.)diversified-capital-management(.)com"; flow:to_server,established; http.header; content:"raspberry(.)diversified-capital-management(.)com"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4022111; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/41;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e41 [tlp:white] Outgoing URL http|3a|//7awhiudnj(.)holycrosschildrensservices(.)info"; flow:to_server,established; http.header; content:"7awhiudnj(.)holycrosschildrensservices(.)info"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4022121; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/41;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e41 [tlp:white] Outgoing URL http|3a|//amytiville(.)boysville(.)org"; flow:to_server,established; http.header; content:"amytiville(.)boysville(.)org"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4022131; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/41;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e41 [tlp:white] Outgoing URL http|3a|//charity(.)boysville(.)net"; flow:to_server,established; http.header; content:"charity(.)boysville(.)net"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4022141; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/41;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e41 [tlp:white] Outgoing URL http|3a|//backup(.)hcyfs(.)com"; flow:to_server,established; http.header; content:"backup(.)hcyfs(.)com"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4022151; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/41;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e41 [tlp:white] Outgoing URL http|3a|//j1k4cnee(.)holycrosschildrensservices(.)com"; flow:to_server,established; http.header; content:"j1k4cnee(.)holycrosschildrensservices(.)com"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4022161; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/41;) alert dns any any -> any any (msg: "MISP e42 [tlp:white] Domain filegoogle.firewall-gateway.com"; dns.query; content:"filegoogle.firewall-gateway.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])filegoogle\.firewall\-gateway\.com$/i"; classtype:trojan-activity; sid:4022281; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e42 [tlp:white] Outgoing HTTP Domain filegoogle.firewall-gateway.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"filegoogle.firewall-gateway.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])filegoogle\.firewall\-gateway\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4022282; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert dns any any -> any any (msg: "MISP e42 [tlp:white] Domain accountgoogle.firewall-gateway.com"; dns.query; content:"accountgoogle.firewall-gateway.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])accountgoogle\.firewall\-gateway\.com$/i"; classtype:trojan-activity; sid:4022291; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e42 [tlp:white] Outgoing HTTP Domain accountgoogle.firewall-gateway.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"accountgoogle.firewall-gateway.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])accountgoogle\.firewall\-gateway\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4022292; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert dns any any -> any any (msg: "MISP e42 [tlp:white] Domain detail43.myfirewall.org"; dns.query; content:"detail43.myfirewall.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])detail43\.myfirewall\.org$/i"; classtype:trojan-activity; sid:4022301; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e42 [tlp:white] Outgoing HTTP Domain detail43.myfirewall.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"detail43.myfirewall.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])detail43\.myfirewall\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4022302; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e42 [tlp:white] Outgoing URL http|3a|//filegoogle.firewall-gateway.com/servicelogin"; flow:to_server,established; http.header; content:"filegoogle.firewall-gateway.com"; fast_pattern; nocase; http.uri; content:"/servicelogin"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4022311; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e42 [tlp:white] Outgoing URL http|3a|//accountgoogle.firewall-gateway.com/serviclogin"; flow:to_server,established; http.header; content:"accountgoogle.firewall-gateway.com"; fast_pattern; nocase; http.uri; content:"/serviclogin"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4022321; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e42 [tlp:white] Outgoing URL http|3a|//accountgoogle.firewall-gateway.com/servicclogin"; flow:to_server,established; http.header; content:"accountgoogle.firewall-gateway.com"; fast_pattern; nocase; http.uri; content:"/servicclogin"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4022331; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert dns any any -> any any (msg: "MISP e42 [tlp:white] Domain sys.firewall-gateway.net"; dns.query; content:"sys.firewall-gateway.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])sys\.firewall\-gateway\.net$/i"; classtype:trojan-activity; sid:4022341; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e42 [tlp:white] Outgoing HTTP Domain sys.firewall-gateway.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sys.firewall-gateway.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sys\.firewall\-gateway\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4022342; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert dns any any -> any any (msg: "MISP e42 [tlp:white] Domain news.firewall-gateway.com"; dns.query; content:"news.firewall-gateway.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])news\.firewall\-gateway\.com$/i"; classtype:trojan-activity; sid:4022471; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e42 [tlp:white] Outgoing HTTP Domain news.firewall-gateway.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"news.firewall-gateway.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])news\.firewall\-gateway\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4022472; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert ip $HOME_NET any -> 109.169.77.230 any (msg: "MISP e42 [tlp:white] Outgoing To IP: 109.169.77.230"; classtype:trojan-activity; sid:4022491; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert ip $HOME_NET any -> 95.154.195.159 any (msg: "MISP e42 [tlp:white] Outgoing To IP: 95.154.195.159"; classtype:trojan-activity; sid:4022521; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert ip $HOME_NET any -> 95.154.195.171 any (msg: "MISP e42 [tlp:white] Outgoing To IP: 95.154.195.171"; classtype:trojan-activity; sid:4022531; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert dns any any -> any any (msg: "MISP e42 [tlp:white] Domain accountsgoogle.firewall-gateway.com"; dns.query; content:"accountsgoogle.firewall-gateway.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])accountsgoogle\.firewall\-gateway\.com$/i"; classtype:trojan-activity; sid:4022541; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e42 [tlp:white] Outgoing HTTP Domain accountsgoogle.firewall-gateway.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"accountsgoogle.firewall-gateway.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])accountsgoogle\.firewall\-gateway\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4022542; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert dns any any -> any any (msg: "MISP e42 [tlp:white] Domain accounts-google.firewall-gateway.com"; dns.query; content:"accounts-google.firewall-gateway.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])accounts\-google\.firewall\-gateway\.com$/i"; classtype:trojan-activity; sid:4022551; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e42 [tlp:white] Outgoing HTTP Domain accounts-google.firewall-gateway.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"accounts-google.firewall-gateway.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])accounts\-google\.firewall\-gateway\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4022552; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert dns any any -> any any (msg: "MISP e42 [tlp:white] Domain accountsgoogles.firewall-gateway.com"; dns.query; content:"accountsgoogles.firewall-gateway.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])accountsgoogles\.firewall\-gateway\.com$/i"; classtype:trojan-activity; sid:4022561; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e42 [tlp:white] Outgoing HTTP Domain accountsgoogles.firewall-gateway.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"accountsgoogles.firewall-gateway.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])accountsgoogles\.firewall\-gateway\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4022562; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert dns any any -> any any (msg: "MISP e42 [tlp:white] Domain googlefile.firewall-gateway.net"; dns.query; content:"googlefile.firewall-gateway.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])googlefile\.firewall\-gateway\.net$/i"; classtype:trojan-activity; sid:4022571; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e42 [tlp:white] Outgoing HTTP Domain googlefile.firewall-gateway.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"googlefile.firewall-gateway.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])googlefile\.firewall\-gateway\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4022572; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert dns any any -> any any (msg: "MISP e42 [tlp:white] Domain firewallupdate.firewall-gateway.com"; dns.query; content:"firewallupdate.firewall-gateway.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])firewallupdate\.firewall\-gateway\.com$/i"; classtype:trojan-activity; sid:4022581; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e42 [tlp:white] Outgoing HTTP Domain firewallupdate.firewall-gateway.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"firewallupdate.firewall-gateway.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])firewallupdate\.firewall\-gateway\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4022582; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert dns any any -> any any (msg: "MISP e42 [tlp:white] Domain firewallupdate.firewall-gateway.net"; dns.query; content:"firewallupdate.firewall-gateway.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])firewallupdate\.firewall\-gateway\.net$/i"; classtype:trojan-activity; sid:4022591; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e42 [tlp:white] Outgoing HTTP Domain firewallupdate.firewall-gateway.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"firewallupdate.firewall-gateway.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])firewallupdate\.firewall\-gateway\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4022592; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert dns any any -> any any (msg: "MISP e42 [tlp:white] Domain drivgoogle.firewall-gateway.com"; dns.query; content:"drivgoogle.firewall-gateway.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])drivgoogle\.firewall\-gateway\.com$/i"; classtype:trojan-activity; sid:4022601; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e42 [tlp:white] Outgoing HTTP Domain drivgoogle.firewall-gateway.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"drivgoogle.firewall-gateway.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])drivgoogle\.firewall\-gateway\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4022602; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert ip $HOME_NET any -> 5.54.19.17 any (msg: "MISP e42 [tlp:white] Outgoing To IP: 5.54.19.17"; classtype:trojan-activity; sid:4022611; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert ip $HOME_NET any -> 78.129.252.159 any (msg: "MISP e42 [tlp:white] Outgoing To IP: 78.129.252.159"; classtype:trojan-activity; sid:4022621; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert ip $HOME_NET any -> 87.117.229.109 any (msg: "MISP e42 [tlp:white] Outgoing To IP: 87.117.229.109"; classtype:trojan-activity; sid:4022631; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert ip $HOME_NET any -> 109.169.40.172 any (msg: "MISP e42 [tlp:white] Outgoing To IP: 109.169.40.172"; classtype:trojan-activity; sid:4022641; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert ip $HOME_NET any -> 46.127.56.109 any (msg: "MISP e42 [tlp:white] Outgoing To IP: 46.127.56.109"; classtype:trojan-activity; sid:4022651; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert ip $HOME_NET any -> 192.253.251.118 any (msg: "MISP e42 [tlp:white] Outgoing To IP: 192.253.251.118"; classtype:trojan-activity; sid:4022661; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/42;) alert dns any any -> any any (msg: "MISP e43 [tlp:white] Domain supratimewest.com"; dns.query; content:"supratimewest.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])supratimewest\.com$/i"; classtype:trojan-activity; sid:4022671; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/43;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e43 [tlp:white] Outgoing HTTP Domain supratimewest.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"supratimewest.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])supratimewest\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4022672; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/43;) alert dns any any -> any any (msg: "MISP e43 [tlp:white] Domain letterinklandoix.net"; dns.query; content:"letterinklandoix.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])letterinklandoix\.net$/i"; classtype:trojan-activity; sid:4022681; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/43;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e43 [tlp:white] Outgoing HTTP Domain letterinklandoix.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"letterinklandoix.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])letterinklandoix\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4022682; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/43;) alert dns any any -> any any (msg: "MISP e43 [tlp:white] Domain supratimewest.biz"; dns.query; content:"supratimewest.biz"; nocase; pcre: "/(^|[^A-Za-z0-9-])supratimewest\.biz$/i"; classtype:trojan-activity; sid:4022691; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/43;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e43 [tlp:white] Outgoing HTTP Domain supratimewest.biz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"supratimewest.biz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])supratimewest\.biz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4022692; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/43;) alert dns any any -> any any (msg: "MISP e43 [tlp:white] Domain starwoodhotels.pw"; dns.query; content:"starwoodhotels.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])starwoodhotels\.pw$/i"; classtype:trojan-activity; sid:4022701; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/43;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e43 [tlp:white] Outgoing HTTP Domain starwoodhotels.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"starwoodhotels.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])starwoodhotels\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4022702; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/43;) alert dns any any -> any any (msg: "MISP e43 [tlp:white] Domain oklinjgreirestacks.biz"; dns.query; content:"oklinjgreirestacks.biz"; nocase; pcre: "/(^|[^A-Za-z0-9-])oklinjgreirestacks\.biz$/i"; classtype:trojan-activity; sid:4022711; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/43;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e43 [tlp:white] Outgoing HTTP Domain oklinjgreirestacks.biz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"oklinjgreirestacks.biz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])oklinjgreirestacks\.biz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4022712; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/43;) alert dns any any -> any any (msg: "MISP e43 [tlp:white] Domain www.starwoodhotels.pw"; dns.query; content:"www.starwoodhotels.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.starwoodhotels\.pw$/i"; classtype:trojan-activity; sid:4022721; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/43;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e43 [tlp:white] Outgoing HTTP Domain www.starwoodhotels.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"www.starwoodhotels.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.starwoodhotels\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4022722; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/43;) alert dns any any -> any any (msg: "MISP e43 [tlp:white] Domain brookmensoklinherz.org"; dns.query; content:"brookmensoklinherz.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])brookmensoklinherz\.org$/i"; classtype:trojan-activity; sid:4022731; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/43;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e43 [tlp:white] Outgoing HTTP Domain brookmensoklinherz.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"brookmensoklinherz.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])brookmensoklinherz\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4022732; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/43;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e46 [tlp:white] Outgoing URL http|3a|//bestsendmoney.org/"; flow:to_server,established; http.header; content:"bestsendmoney.org"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4024001; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/46;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e47 [tlp:white] Outgoing URL http|3a|//roe53ncs47yt564u.onion/east3/"; flow:to_server,established; http.header; content:"roe53ncs47yt564u.onion"; fast_pattern; nocase; http.uri; content:"/east3/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4024161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/47;) alert ip $HOME_NET any -> 212.112.245.170 any (msg: "MISP e48 [tlp:white] Outgoing To IP: 212.112.245.170"; classtype:trojan-activity; sid:4024201; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/48;) alert dns any any -> any any (msg: "MISP e48 [tlp:white] Hostname ip.telize.com"; dns.query; content:"ip.telize.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ip\.telize\.com$/i"; classtype:trojan-activity; sid:4024211; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/48;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e48 [tlp:white] Outgoing HTTP Hostname ip.telize.com"; flow:to_server,established; http.header; content: "Host|3a| ip.telize.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ip\.telize\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4024212; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/48;) alert ip $HOME_NET any -> 185.130.104.131 any (msg: "MISP e49 [tlp:white] Outgoing To IP: 185.130.104.131"; classtype:trojan-activity; sid:4024711; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/49;) alert ip $HOME_NET any -> 185.130.5.201 any (msg: "MISP e49 [tlp:white] Outgoing To IP: 185.130.5.201"; classtype:trojan-activity; sid:4024721; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/49;) alert ip $HOME_NET any -> 185.130.5.202 any (msg: "MISP e49 [tlp:white] Outgoing To IP: 185.130.5.202"; classtype:trojan-activity; sid:4024731; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/49;) alert ip $HOME_NET any -> 5.149.254.114 any (msg: "MISP e50 [tlp:white] Outgoing To IP: 5.149.254.114"; classtype:trojan-activity; sid:4025231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/50;) alert ip $HOME_NET any -> 5.9.32.230 any (msg: "MISP e50 [tlp:white] Outgoing To IP: 5.9.32.230"; classtype:trojan-activity; sid:4025241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/50;) alert ip $HOME_NET any -> 31.210.111.154 any (msg: "MISP e50 [tlp:white] Outgoing To IP: 31.210.111.154"; classtype:trojan-activity; sid:4025251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/50;) alert ip $HOME_NET any -> 88.198.25.92 any (msg: "MISP e50 [tlp:white] Outgoing To IP: 88.198.25.92"; classtype:trojan-activity; sid:4025261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/50;) alert ip $HOME_NET any -> 146.0.74.7 any (msg: "MISP e50 [tlp:white] Outgoing To IP: 146.0.74.7"; classtype:trojan-activity; sid:4025271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/50;) alert ip $HOME_NET any -> 188.40.8.72 any (msg: "MISP e50 [tlp:white] Outgoing To IP: 188.40.8.72"; classtype:trojan-activity; sid:4025281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/50;) alert ip $HOME_NET any -> 148.251.82.21 any (msg: "MISP e50 [tlp:white] Outgoing To IP: 148.251.82.21"; classtype:trojan-activity; sid:4025291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/50;) alert ip $HOME_NET any -> 94.158.214.45 any (msg: "MISP e50 [tlp:white] Outgoing To IP: 94.158.214.45"; classtype:trojan-activity; sid:4025301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/50;) alert ip $HOME_NET any -> 2.61.168.116 any (msg: "MISP e50 [tlp:white] Outgoing To IP: 2.61.168.116"; classtype:trojan-activity; sid:4025311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/50;) alert dns any any -> any any (msg: "MISP e51 [tlp:white] Domain traffic-systems.biz"; dns.query; content:"traffic-systems.biz"; nocase; pcre: "/(^|[^A-Za-z0-9-])traffic\-systems\.biz$/i"; classtype:trojan-activity; sid:4025321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/51;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e51 [tlp:white] Outgoing HTTP Domain traffic-systems.biz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"traffic-systems.biz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])traffic\-systems\.biz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025322; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/51;) alert dns any any -> any any (msg: "MISP e51 [tlp:white] Domain medtronic.pw"; dns.query; content:"medtronic.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])medtronic\.pw$/i"; classtype:trojan-activity; sid:4025331; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/51;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e51 [tlp:white] Outgoing HTTP Domain medtronic.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"medtronic.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])medtronic\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025332; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/51;) alert ip $HOME_NET any -> 188.138.69.136 any (msg: "MISP e51 [tlp:white] Outgoing To IP: 188.138.69.136"; classtype:trojan-activity; sid:4025341; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/51;) alert ip $HOME_NET any -> 188.138.68.191 any (msg: "MISP e51 [tlp:white] Outgoing To IP: 188.138.68.191"; classtype:trojan-activity; sid:4025351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/51;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain qggeieyeemioyoym.org"; dns.query; content:"qggeieyeemioyoym.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])qggeieyeemioyoym\.org$/i"; classtype:trojan-activity; sid:4025451; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain qggeieyeemioyoym.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"qggeieyeemioyoym.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])qggeieyeemioyoym\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025452; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain gmqqsmgoeamkmmuq.org"; dns.query; content:"gmqqsmgoeamkmmuq.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])gmqqsmgoeamkmmuq\.org$/i"; classtype:trojan-activity; sid:4025461; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain gmqqsmgoeamkmmuq.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gmqqsmgoeamkmmuq.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gmqqsmgoeamkmmuq\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025462; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain eiuksoyigkmysqww.org"; dns.query; content:"eiuksoyigkmysqww.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])eiuksoyigkmysqww\.org$/i"; classtype:trojan-activity; sid:4025471; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain eiuksoyigkmysqww.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"eiuksoyigkmysqww.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])eiuksoyigkmysqww\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025472; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain kusumyekqaaskcqw.org"; dns.query; content:"kusumyekqaaskcqw.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])kusumyekqaaskcqw\.org$/i"; classtype:trojan-activity; sid:4025481; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain kusumyekqaaskcqw.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kusumyekqaaskcqw.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kusumyekqaaskcqw\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025482; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain skaaaymcieiewcwk.org"; dns.query; content:"skaaaymcieiewcwk.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])skaaaymcieiewcwk\.org$/i"; classtype:trojan-activity; sid:4025491; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain skaaaymcieiewcwk.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"skaaaymcieiewcwk.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])skaaaymcieiewcwk\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025492; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain skqgakcyowmwcomc.org"; dns.query; content:"skqgakcyowmwcomc.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])skqgakcyowmwcomc\.org$/i"; classtype:trojan-activity; sid:4025501; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain skqgakcyowmwcomc.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"skqgakcyowmwcomc.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])skqgakcyowmwcomc\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025502; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain ywywuqmswcyuqueg.org"; dns.query; content:"ywywuqmswcyuqueg.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])ywywuqmswcyuqueg\.org$/i"; classtype:trojan-activity; sid:4025511; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain ywywuqmswcyuqueg.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ywywuqmswcyuqueg.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ywywuqmswcyuqueg\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025512; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain qgkogkwosuuugaey.org"; dns.query; content:"qgkogkwosuuugaey.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])qgkogkwosuuugaey\.org$/i"; classtype:trojan-activity; sid:4025521; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain qgkogkwosuuugaey.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"qgkogkwosuuugaey.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])qgkogkwosuuugaey\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025522; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain myqoeeuiyguqisiu.org"; dns.query; content:"myqoeeuiyguqisiu.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])myqoeeuiyguqisiu\.org$/i"; classtype:trojan-activity; sid:4025531; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain myqoeeuiyguqisiu.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"myqoeeuiyguqisiu.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])myqoeeuiyguqisiu\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025532; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain ywseaqwkgaecqumy.org"; dns.query; content:"ywseaqwkgaecqumy.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])ywseaqwkgaecqumy\.org$/i"; classtype:trojan-activity; sid:4025541; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain ywseaqwkgaecqumy.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ywseaqwkgaecqumy.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ywseaqwkgaecqumy\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025542; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain skoqqgkoaymgmigi.org"; dns.query; content:"skoqqgkoaymgmigi.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])skoqqgkoaymgmigi\.org$/i"; classtype:trojan-activity; sid:4025551; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain skoqqgkoaymgmigi.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"skoqqgkoaymgmigi.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])skoqqgkoaymgmigi\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025552; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain wskugoswmwomsciy.org"; dns.query; content:"wskugoswmwomsciy.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])wskugoswmwomsciy\.org$/i"; classtype:trojan-activity; sid:4025561; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain wskugoswmwomsciy.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wskugoswmwomsciy.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wskugoswmwomsciy\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025562; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain uoyksmyysmoeocwa.org"; dns.query; content:"uoyksmyysmoeocwa.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])uoyksmyysmoeocwa\.org$/i"; classtype:trojan-activity; sid:4025571; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain uoyksmyysmoeocwa.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uoyksmyysmoeocwa.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uoyksmyysmoeocwa\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025572; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain iqeukamwqoicckwu.org"; dns.query; content:"iqeukamwqoicckwu.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])iqeukamwqoicckwu\.org$/i"; classtype:trojan-activity; sid:4025581; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain iqeukamwqoicckwu.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"iqeukamwqoicckwu.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])iqeukamwqoicckwu\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025582; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain myyacsmsimwoiygq.org"; dns.query; content:"myyacsmsimwoiygq.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])myyacsmsimwoiygq\.org$/i"; classtype:trojan-activity; sid:4025591; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain myyacsmsimwoiygq.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"myyacsmsimwoiygq.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])myyacsmsimwoiygq\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025592; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain kuqwwqywmikmogwo.org"; dns.query; content:"kuqwwqywmikmogwo.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])kuqwwqywmikmogwo\.org$/i"; classtype:trojan-activity; sid:4025601; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain kuqwwqywmikmogwo.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kuqwwqywmikmogwo.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kuqwwqywmikmogwo\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025602; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain uocsaqcaigosuwqk.org"; dns.query; content:"uocsaqcaigosuwqk.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])uocsaqcaigosuwqk\.org$/i"; classtype:trojan-activity; sid:4025611; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain uocsaqcaigosuwqk.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uocsaqcaigosuwqk.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uocsaqcaigosuwqk\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025612; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain kucuyusiqsseqmso.org"; dns.query; content:"kucuyusiqsseqmso.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])kucuyusiqsseqmso\.org$/i"; classtype:trojan-activity; sid:4025621; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain kucuyusiqsseqmso.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kucuyusiqsseqmso.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kucuyusiqsseqmso\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025622; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain kucmcamaqsgmaiye.org"; dns.query; content:"kucmcamaqsgmaiye.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])kucmcamaqsgmaiye\.org$/i"; classtype:trojan-activity; sid:4025631; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain kucmcamaqsgmaiye.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kucmcamaqsgmaiye.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kucmcamaqsgmaiye\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025632; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain uosqmakeosgssquc.org"; dns.query; content:"uosqmakeosgssquc.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])uosqmakeosgssquc\.org$/i"; classtype:trojan-activity; sid:4025641; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain uosqmakeosgssquc.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uosqmakeosgssquc.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uosqmakeosgssquc\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025642; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain skmggwaiuwuywgwy.org"; dns.query; content:"skmggwaiuwuywgwy.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])skmggwaiuwuywgwy\.org$/i"; classtype:trojan-activity; sid:4025651; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain skmggwaiuwuywgwy.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"skmggwaiuwuywgwy.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])skmggwaiuwuywgwy\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025652; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain myiskosuiikykagi.org"; dns.query; content:"myiskosuiikykagi.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])myiskosuiikykagi\.org$/i"; classtype:trojan-activity; sid:4025661; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain myiskosuiikykagi.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"myiskosuiikykagi.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])myiskosuiikykagi\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025662; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain cegauoqsykgqecqc.org"; dns.query; content:"cegauoqsykgqecqc.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])cegauoqsykgqecqc\.org$/i"; classtype:trojan-activity; sid:4025671; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain cegauoqsykgqecqc.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cegauoqsykgqecqc.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cegauoqsykgqecqc\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025672; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain skkikukwuauawigs.org"; dns.query; content:"skkikukwuauawigs.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])skkikukwuauawigs\.org$/i"; classtype:trojan-activity; sid:4025681; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain skkikukwuauawigs.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"skkikukwuauawigs.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])skkikukwuauawigs\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025682; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain kuyuacgsiowawsqa.org"; dns.query; content:"kuyuacgsiowawsqa.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])kuyuacgsiowawsqa\.org$/i"; classtype:trojan-activity; sid:4025691; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain kuyuacgsiowawsqa.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kuyuacgsiowawsqa.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kuyuacgsiowawsqa\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025692; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain aaiwiciisemsauee.org"; dns.query; content:"aaiwiciisemsauee.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])aaiwiciisemsauee\.org$/i"; classtype:trojan-activity; sid:4025701; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain aaiwiciisemsauee.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aaiwiciisemsauee.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aaiwiciisemsauee\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025702; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain kukciamwyywywege.org"; dns.query; content:"kukciamwyywywege.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])kukciamwyywywege\.org$/i"; classtype:trojan-activity; sid:4025711; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain kukciamwyywywege.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kukciamwyywywege.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kukciamwyywywege\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025712; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain ywyoyicywkuuyuye.org"; dns.query; content:"ywyoyicywkuuyuye.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])ywyoyicywkuuyuye\.org$/i"; classtype:trojan-activity; sid:4025721; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain ywyoyicywkuuyuye.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ywyoyicywkuuyuye.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ywyoyicywkuuyuye\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025722; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain ywcswiwiseiwuqik.org"; dns.query; content:"ywcswiwiseiwuqik.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])ywcswiwiseiwuqik\.org$/i"; classtype:trojan-activity; sid:4025731; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain ywcswiwiseiwuqik.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ywcswiwiseiwuqik.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ywcswiwiseiwuqik\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025732; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain eiaecgesauokiigq.org"; dns.query; content:"eiaecgesauokiigq.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])eiaecgesauokiigq\.org$/i"; classtype:trojan-activity; sid:4025741; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain eiaecgesauokiigq.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"eiaecgesauokiigq.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])eiaecgesauokiigq\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025742; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain gmaeesguiokeyqwo.org"; dns.query; content:"gmaeesguiokeyqwo.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])gmaeesguiokeyqwo\.org$/i"; classtype:trojan-activity; sid:4025751; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain gmaeesguiokeyqwo.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gmaeesguiokeyqwo.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gmaeesguiokeyqwo\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025752; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain ceyueaeiogooemgq.org"; dns.query; content:"ceyueaeiogooemgq.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])ceyueaeiogooemgq\.org$/i"; classtype:trojan-activity; sid:4025761; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain ceyueaeiogooemgq.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ceyueaeiogooemgq.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ceyueaeiogooemgq\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025762; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain qgswmomeoygasskq.org"; dns.query; content:"qgswmomeoygasskq.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])qgswmomeoygasskq\.org$/i"; classtype:trojan-activity; sid:4025771; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain qgswmomeoygasskq.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"qgswmomeoygasskq.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])qgswmomeoygasskq\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025772; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain ywoekqumwmygouka.org"; dns.query; content:"ywoekqumwmygouka.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])ywoekqumwmygouka\.org$/i"; classtype:trojan-activity; sid:4025781; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain ywoekqumwmygouka.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ywoekqumwmygouka.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ywoekqumwmygouka\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025782; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain wsecooueqmaykqco.org"; dns.query; content:"wsecooueqmaykqco.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])wsecooueqmaykqco\.org$/i"; classtype:trojan-activity; sid:4025791; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain wsecooueqmaykqco.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wsecooueqmaykqco.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wsecooueqmaykqco\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025792; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain wscswugeiuayswqg.org"; dns.query; content:"wscswugeiuayswqg.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])wscswugeiuayswqg\.org$/i"; classtype:trojan-activity; sid:4025801; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain wscswugeiuayswqg.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wscswugeiuayswqg.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wscswugeiuayswqg\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025802; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain ocsomesgaqgoacga.org"; dns.query; content:"ocsomesgaqgoacga.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])ocsomesgaqgoacga\.org$/i"; classtype:trojan-activity; sid:4025811; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain ocsomesgaqgoacga.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ocsomesgaqgoacga.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ocsomesgaqgoacga\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025812; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain gmgigoiogeosyawm.org"; dns.query; content:"gmgigoiogeosyawm.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])gmgigoiogeosyawm\.org$/i"; classtype:trojan-activity; sid:4025821; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain gmgigoiogeosyawm.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gmgigoiogeosyawm.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gmgigoiogeosyawm\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025822; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain uoukqqyamggcssee.org"; dns.query; content:"uoukqqyamggcssee.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])uoukqqyamggcssee\.org$/i"; classtype:trojan-activity; sid:4025831; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain uoukqqyamggcssee.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uoukqqyamggcssee.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uoukqqyamggcssee\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025832; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain mycsawomqiqkgqgu.org"; dns.query; content:"mycsawomqiqkgqgu.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])mycsawomqiqkgqgu\.org$/i"; classtype:trojan-activity; sid:4025841; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain mycsawomqiqkgqgu.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mycsawomqiqkgqgu.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mycsawomqiqkgqgu\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025842; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain ceigqweqwaywiqgu.org"; dns.query; content:"ceigqweqwaywiqgu.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])ceigqweqwaywiqgu\.org$/i"; classtype:trojan-activity; sid:4025851; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain ceigqweqwaywiqgu.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ceigqweqwaywiqgu.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ceigqweqwaywiqgu\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025852; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain gmaaesccmakkekuc.org"; dns.query; content:"gmaaesccmakkekuc.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])gmaaesccmakkekuc\.org$/i"; classtype:trojan-activity; sid:4025861; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain gmaaesccmakkekuc.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gmaaesccmakkekuc.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gmaaesccmakkekuc\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025862; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain kuawkswesmaaaqwm.org"; dns.query; content:"kuawkswesmaaaqwm.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])kuawkswesmaaaqwm\.org$/i"; classtype:trojan-activity; sid:4025871; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain kuawkswesmaaaqwm.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kuawkswesmaaaqwm.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kuawkswesmaaaqwm\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025872; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain wsucmwkccgaiwkuq.org"; dns.query; content:"wsucmwkccgaiwkuq.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])wsucmwkccgaiwkuq\.org$/i"; classtype:trojan-activity; sid:4025881; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain wsucmwkccgaiwkuq.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wsucmwkccgaiwkuq.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wsucmwkccgaiwkuq\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025882; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain myqmcqiycymqouas.org"; dns.query; content:"myqmcqiycymqouas.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])myqmcqiycymqouas\.org$/i"; classtype:trojan-activity; sid:4025891; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain myqmcqiycymqouas.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"myqmcqiycymqouas.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])myqmcqiycymqouas\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025892; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain eimsgkqemekuggss.org"; dns.query; content:"eimsgkqemekuggss.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])eimsgkqemekuggss\.org$/i"; classtype:trojan-activity; sid:4025901; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain eimsgkqemekuggss.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"eimsgkqemekuggss.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])eimsgkqemekuggss\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025902; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain ywuwegokskgcowec.org"; dns.query; content:"ywuwegokskgcowec.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])ywuwegokskgcowec\.org$/i"; classtype:trojan-activity; sid:4025911; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain ywuwegokskgcowec.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ywuwegokskgcowec.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ywuwegokskgcowec\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025912; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain ywkyogwycimaciua.org"; dns.query; content:"ywkyogwycimaciua.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])ywkyogwycimaciua\.org$/i"; classtype:trojan-activity; sid:4025921; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain ywkyogwycimaciua.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ywkyogwycimaciua.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ywkyogwycimaciua\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025922; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain qgukscwooqacqumu.org"; dns.query; content:"qgukscwooqacqumu.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])qgukscwooqacqumu\.org$/i"; classtype:trojan-activity; sid:4025931; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain qgukscwooqacqumu.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"qgukscwooqacqumu.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])qgukscwooqacqumu\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025932; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain kuseseaywucqwkqk.org"; dns.query; content:"kuseseaywucqwkqk.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])kuseseaywucqwkqk\.org$/i"; classtype:trojan-activity; sid:4025941; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain kuseseaywucqwkqk.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kuseseaywucqwkqk.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kuseseaywucqwkqk\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025942; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain ywsksuaigquqyiuc.org"; dns.query; content:"ywsksuaigquqyiuc.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])ywsksuaigquqyiuc\.org$/i"; classtype:trojan-activity; sid:4025951; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain ywsksuaigquqyiuc.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ywsksuaigquqyiuc.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ywsksuaigquqyiuc\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025952; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain ocswikyocogewgmu.org"; dns.query; content:"ocswikyocogewgmu.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])ocswikyocogewgmu\.org$/i"; classtype:trojan-activity; sid:4025961; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain ocswikyocogewgmu.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ocswikyocogewgmu.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ocswikyocogewgmu\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025962; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain skmkmwgesgyacois.org"; dns.query; content:"skmkmwgesgyacois.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])skmkmwgesgyacois\.org$/i"; classtype:trojan-activity; sid:4025971; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain skmkmwgesgyacois.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"skmkmwgesgyacois.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])skmkmwgesgyacois\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025972; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain wsmckqcuqgiqamwq.org"; dns.query; content:"wsmckqcuqgiqamwq.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])wsmckqcuqgiqamwq\.org$/i"; classtype:trojan-activity; sid:4025981; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain wsmckqcuqgiqamwq.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wsmckqcuqgiqamwq.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wsmckqcuqgiqamwq\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025982; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain aaokguquwimiegys.org"; dns.query; content:"aaokguquwimiegys.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])aaokguquwimiegys\.org$/i"; classtype:trojan-activity; sid:4025991; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain aaokguquwimiegys.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aaokguquwimiegys.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aaokguquwimiegys\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4025992; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain wsgqwkeysmqmwiwy.org"; dns.query; content:"wsgqwkeysmqmwiwy.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])wsgqwkeysmqmwiwy\.org$/i"; classtype:trojan-activity; sid:4026001; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain wsgqwkeysmqmwiwy.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wsgqwkeysmqmwiwy.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wsgqwkeysmqmwiwy\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026002; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain wsgggmmsciugqmsi.org"; dns.query; content:"wsgggmmsciugqmsi.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])wsgggmmsciugqmsi\.org$/i"; classtype:trojan-activity; sid:4026011; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain wsgggmmsciugqmsi.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wsgggmmsciugqmsi.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wsgggmmsciugqmsi\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026012; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain qgkgkqwymkaakias.org"; dns.query; content:"qgkgkqwymkaakias.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])qgkgkqwymkaakias\.org$/i"; classtype:trojan-activity; sid:4026021; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain qgkgkqwymkaakias.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"qgkgkqwymkaakias.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])qgkgkqwymkaakias\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026022; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain iquocuamkwawywsk.org"; dns.query; content:"iquocuamkwawywsk.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])iquocuamkwawywsk\.org$/i"; classtype:trojan-activity; sid:4026031; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain iquocuamkwawywsk.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"iquocuamkwawywsk.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])iquocuamkwawywsk\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026032; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain myuickmykcuoqekg.org"; dns.query; content:"myuickmykcuoqekg.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])myuickmykcuoqekg\.org$/i"; classtype:trojan-activity; sid:4026041; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain myuickmykcuoqekg.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"myuickmykcuoqekg.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])myuickmykcuoqekg\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026042; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain eiuqwoiwkqqicmgm.org"; dns.query; content:"eiuqwoiwkqqicmgm.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])eiuqwoiwkqqicmgm\.org$/i"; classtype:trojan-activity; sid:4026051; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain eiuqwoiwkqqicmgm.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"eiuqwoiwkqqicmgm.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])eiuqwoiwkqqicmgm\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026052; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain uociwiiqgmqwwmkq.org"; dns.query; content:"uociwiiqgmqwwmkq.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])uociwiiqgmqwwmkq\.org$/i"; classtype:trojan-activity; sid:4026061; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain uociwiiqgmqwwmkq.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uociwiiqgmqwwmkq.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uociwiiqgmqwwmkq\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026062; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain aaiiyceccigqwgua.org"; dns.query; content:"aaiiyceccigqwgua.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])aaiiyceccigqwgua\.org$/i"; classtype:trojan-activity; sid:4026071; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain aaiiyceccigqwgua.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aaiiyceccigqwgua.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aaiiyceccigqwgua\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026072; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain kukwweimqccqmgii.org"; dns.query; content:"kukwweimqccqmgii.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])kukwweimqccqmgii\.org$/i"; classtype:trojan-activity; sid:4026081; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain kukwweimqccqmgii.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kukwweimqccqmgii.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kukwweimqccqmgii\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026082; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain wsqqusgiaayeseik.org"; dns.query; content:"wsqqusgiaayeseik.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])wsqqusgiaayeseik\.org$/i"; classtype:trojan-activity; sid:4026091; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain wsqqusgiaayeseik.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wsqqusgiaayeseik.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wsqqusgiaayeseik\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026092; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain ocqaywqqgwgquame.org"; dns.query; content:"ocqaywqqgwgquame.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])ocqaywqqgwgquame\.org$/i"; classtype:trojan-activity; sid:4026101; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain ocqaywqqgwgquame.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ocqaywqqgwgquame.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ocqaywqqgwgquame\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026102; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain iqumgmcqwuqgaaus.org"; dns.query; content:"iqumgmcqwuqgaaus.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])iqumgmcqwuqgaaus\.org$/i"; classtype:trojan-activity; sid:4026111; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain iqumgmcqwuqgaaus.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"iqumgmcqwuqgaaus.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])iqumgmcqwuqgaaus\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026112; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain aacmmqgiaumygkcw.org"; dns.query; content:"aacmmqgiaumygkcw.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])aacmmqgiaumygkcw\.org$/i"; classtype:trojan-activity; sid:4026121; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain aacmmqgiaumygkcw.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aacmmqgiaumygkcw.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aacmmqgiaumygkcw\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026122; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain kuqqqgskcsmkgyai.org"; dns.query; content:"kuqqqgskcsmkgyai.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])kuqqqgskcsmkgyai\.org$/i"; classtype:trojan-activity; sid:4026131; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain kuqqqgskcsmkgyai.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kuqqqgskcsmkgyai.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kuqqqgskcsmkgyai\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026132; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain myaooqysgucekccq.org"; dns.query; content:"myaooqysgucekccq.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])myaooqysgucekccq\.org$/i"; classtype:trojan-activity; sid:4026141; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain myaooqysgucekccq.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"myaooqysgucekccq.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])myaooqysgucekccq\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026142; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain eicseqoesyiqawii.org"; dns.query; content:"eicseqoesyiqawii.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])eicseqoesyiqawii\.org$/i"; classtype:trojan-activity; sid:4026151; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain eicseqoesyiqawii.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"eicseqoesyiqawii.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])eicseqoesyiqawii\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026152; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain aacaeqieqoaiykws.org"; dns.query; content:"aacaeqieqoaiykws.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])aacaeqieqoaiykws\.org$/i"; classtype:trojan-activity; sid:4026161; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain aacaeqieqoaiykws.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aacaeqieqoaiykws.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aacaeqieqoaiykws\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026162; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain skmymmeiaoooigke.org"; dns.query; content:"skmymmeiaoooigke.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])skmymmeiaoooigke\.org$/i"; classtype:trojan-activity; sid:4026171; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain skmymmeiaoooigke.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"skmymmeiaoooigke.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])skmymmeiaoooigke\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026172; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain skagmesgiuwoygsg.org"; dns.query; content:"skagmesgiuwoygsg.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])skagmesgiuwoygsg\.org$/i"; classtype:trojan-activity; sid:4026181; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain skagmesgiuwoygsg.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"skagmesgiuwoygsg.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])skagmesgiuwoygsg\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026182; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain eiswaaguaiagwyki.org"; dns.query; content:"eiswaaguaiagwyki.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])eiswaaguaiagwyki\.org$/i"; classtype:trojan-activity; sid:4026191; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain eiswaaguaiagwyki.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"eiswaaguaiagwyki.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])eiswaaguaiagwyki\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026192; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain qgyyeqwswuqaecia.org"; dns.query; content:"qgyyeqwswuqaecia.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])qgyyeqwswuqaecia\.org$/i"; classtype:trojan-activity; sid:4026201; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain qgyyeqwswuqaecia.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"qgyyeqwswuqaecia.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])qgyyeqwswuqaecia\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026202; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain qgqumocaowgkkiic.org"; dns.query; content:"qgqumocaowgkkiic.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])qgqumocaowgkkiic\.org$/i"; classtype:trojan-activity; sid:4026211; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain qgqumocaowgkkiic.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"qgqumocaowgkkiic.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])qgqumocaowgkkiic\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026212; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain eikscoeocssaqcgk.org"; dns.query; content:"eikscoeocssaqcgk.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])eikscoeocssaqcgk\.org$/i"; classtype:trojan-activity; sid:4026221; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain eikscoeocssaqcgk.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"eikscoeocssaqcgk.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])eikscoeocssaqcgk\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026222; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain aaukqiooaseseuke.org"; dns.query; content:"aaukqiooaseseuke.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])aaukqiooaseseuke\.org$/i"; classtype:trojan-activity; sid:4026231; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain aaukqiooaseseuke.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aaukqiooaseseuke.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aaukqiooaseseuke\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026232; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain gmumwmiwoqegwiwo.org"; dns.query; content:"gmumwmiwoqegwiwo.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])gmumwmiwoqegwiwo\.org$/i"; classtype:trojan-activity; sid:4026241; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain gmumwmiwoqegwiwo.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gmumwmiwoqegwiwo.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gmumwmiwoqegwiwo\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026242; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain uokkwqswimaamcwe.org"; dns.query; content:"uokkwqswimaamcwe.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])uokkwqswimaamcwe\.org$/i"; classtype:trojan-activity; sid:4026251; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain uokkwqswimaamcwe.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uokkwqswimaamcwe.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uokkwqswimaamcwe\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026252; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain uoooqoeoycaegcwy.org"; dns.query; content:"uoooqoeoycaegcwy.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])uoooqoeoycaegcwy\.org$/i"; classtype:trojan-activity; sid:4026261; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain uoooqoeoycaegcwy.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uoooqoeoycaegcwy.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uoooqoeoycaegcwy\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026262; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain occckkseyiwaqgqo.org"; dns.query; content:"occckkseyiwaqgqo.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])occckkseyiwaqgqo\.org$/i"; classtype:trojan-activity; sid:4026271; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain occckkseyiwaqgqo.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"occckkseyiwaqgqo.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])occckkseyiwaqgqo\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026272; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain qgwccyckcsuyiuwo.org"; dns.query; content:"qgwccyckcsuyiuwo.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])qgwccyckcsuyiuwo\.org$/i"; classtype:trojan-activity; sid:4026281; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain qgwccyckcsuyiuwo.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"qgwccyckcsuyiuwo.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])qgwccyckcsuyiuwo\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026282; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain eimqqakugeccgwak.org"; dns.query; content:"eimqqakugeccgwak.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])eimqqakugeccgwak\.org$/i"; classtype:trojan-activity; sid:4026301; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain eimqqakugeccgwak.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"eimqqakugeccgwak.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])eimqqakugeccgwak\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026302; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain uogwoigiuweyccsw.org"; dns.query; content:"uogwoigiuweyccsw.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])uogwoigiuweyccsw\.org$/i"; classtype:trojan-activity; sid:4026311; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain uogwoigiuweyccsw.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uogwoigiuweyccsw.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uogwoigiuweyccsw\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026312; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain aamsmqscyuycigcw.org"; dns.query; content:"aamsmqscyuycigcw.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])aamsmqscyuycigcw\.org$/i"; classtype:trojan-activity; sid:4026321; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain aamsmqscyuycigcw.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aamsmqscyuycigcw.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aamsmqscyuycigcw\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026322; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain iqswksmkegumawkm.org"; dns.query; content:"iqswksmkegumawkm.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])iqswksmkegumawkm\.org$/i"; classtype:trojan-activity; sid:4026331; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain iqswksmkegumawkm.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"iqswksmkegumawkm.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])iqswksmkegumawkm\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026332; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain cemecwmgkyqayekw.org"; dns.query; content:"cemecwmgkyqayekw.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])cemecwmgkyqayekw\.org$/i"; classtype:trojan-activity; sid:4026341; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain cemecwmgkyqayekw.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cemecwmgkyqayekw.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cemecwmgkyqayekw\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026342; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain qgmcgoqeasgommee.org"; dns.query; content:"qgmcgoqeasgommee.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])qgmcgoqeasgommee\.org$/i"; classtype:trojan-activity; sid:4026351; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain qgmcgoqeasgommee.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"qgmcgoqeasgommee.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])qgmcgoqeasgommee\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026352; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain cequgkoesycwquwa.org"; dns.query; content:"cequgkoesycwquwa.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])cequgkoesycwquwa\.org$/i"; classtype:trojan-activity; sid:4026361; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain cequgkoesycwquwa.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cequgkoesycwquwa.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cequgkoesycwquwa\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026362; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain aaiwoisiaeygwwoo.org"; dns.query; content:"aaiwoisiaeygwwoo.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])aaiwoisiaeygwwoo\.org$/i"; classtype:trojan-activity; sid:4026371; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain aaiwoisiaeygwwoo.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aaiwoisiaeygwwoo.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aaiwoisiaeygwwoo\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026372; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain cemkacimaqsyomam.org"; dns.query; content:"cemkacimaqsyomam.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])cemkacimaqsyomam\.org$/i"; classtype:trojan-activity; sid:4026381; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain cemkacimaqsyomam.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cemkacimaqsyomam.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cemkacimaqsyomam\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026382; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain iqwoocisysswikqa.org"; dns.query; content:"iqwoocisysswikqa.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])iqwoocisysswikqa\.org$/i"; classtype:trojan-activity; sid:4026391; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain iqwoocisysswikqa.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"iqwoocisysswikqa.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])iqwoocisysswikqa\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026392; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain kumsyycmsakisuwo.org"; dns.query; content:"kumsyycmsakisuwo.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])kumsyycmsakisuwo\.org$/i"; classtype:trojan-activity; sid:4026401; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain kumsyycmsakisuwo.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kumsyycmsakisuwo.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kumsyycmsakisuwo\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026402; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain ywaiukgcmmmcwqmk.org"; dns.query; content:"ywaiukgcmmmcwqmk.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])ywaiukgcmmmcwqmk\.org$/i"; classtype:trojan-activity; sid:4026411; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain ywaiukgcmmmcwqmk.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ywaiukgcmmmcwqmk.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ywaiukgcmmmcwqmk\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026412; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain kuqoiwicemaqwuok.org"; dns.query; content:"kuqoiwicemaqwuok.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])kuqoiwicemaqwuok\.org$/i"; classtype:trojan-activity; sid:4026421; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain kuqoiwicemaqwuok.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kuqoiwicemaqwuok.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kuqoiwicemaqwuok\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026422; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain sksgusukmqqomysk.org"; dns.query; content:"sksgusukmqqomysk.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])sksgusukmqqomysk\.org$/i"; classtype:trojan-activity; sid:4026431; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain sksgusukmqqomysk.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sksgusukmqqomysk.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sksgusukmqqomysk\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026432; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain iqkggemqmeyceguo.org"; dns.query; content:"iqkggemqmeyceguo.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])iqkggemqmeyceguo\.org$/i"; classtype:trojan-activity; sid:4026441; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain iqkggemqmeyceguo.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"iqkggemqmeyceguo.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])iqkggemqmeyceguo\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026442; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain eiwesimwaeqauiek.org"; dns.query; content:"eiwesimwaeqauiek.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])eiwesimwaeqauiek\.org$/i"; classtype:trojan-activity; sid:4026451; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain eiwesimwaeqauiek.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"eiwesimwaeqauiek.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])eiwesimwaeqauiek\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026452; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain kuqcuyqmaggguqum.org"; dns.query; content:"kuqcuyqmaggguqum.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])kuqcuyqmaggguqum\.org$/i"; classtype:trojan-activity; sid:4026461; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain kuqcuyqmaggguqum.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kuqcuyqmaggguqum.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kuqcuyqmaggguqum\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026462; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain gmykmcguecgigese.org"; dns.query; content:"gmykmcguecgigese.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])gmykmcguecgigese\.org$/i"; classtype:trojan-activity; sid:4026471; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain gmykmcguecgigese.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gmykmcguecgigese.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gmykmcguecgigese\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026472; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain skaakuomwgacoqyg.org"; dns.query; content:"skaakuomwgacoqyg.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])skaakuomwgacoqyg\.org$/i"; classtype:trojan-activity; sid:4026481; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain skaakuomwgacoqyg.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"skaakuomwgacoqyg.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])skaakuomwgacoqyg\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026482; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain skoiuagogwwkccoc.org"; dns.query; content:"skoiuagogwwkccoc.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])skoiuagogwwkccoc\.org$/i"; classtype:trojan-activity; sid:4026491; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain skoiuagogwwkccoc.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"skoiuagogwwkccoc.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])skoiuagogwwkccoc\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026492; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain gmewmeycikyooqsi.org"; dns.query; content:"gmewmeycikyooqsi.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])gmewmeycikyooqsi\.org$/i"; classtype:trojan-activity; sid:4026501; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain gmewmeycikyooqsi.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gmewmeycikyooqsi.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gmewmeycikyooqsi\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026502; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain sksqqagakeicoeso.org"; dns.query; content:"sksqqagakeicoeso.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])sksqqagakeicoeso\.org$/i"; classtype:trojan-activity; sid:4026511; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain sksqqagakeicoeso.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sksqqagakeicoeso.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sksqqagakeicoeso\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026512; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e52 [tlp:white] Domain uoewuismooowgcui.org"; dns.query; content:"uoewuismooowgcui.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])uoewuismooowgcui\.org$/i"; classtype:trojan-activity; sid:4026521; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e52 [tlp:white] Outgoing HTTP Domain uoewuismooowgcui.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uoewuismooowgcui.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uoewuismooowgcui\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026522; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/52;) alert dns any any -> any any (msg: "MISP e54 [tlp:white] Hostname www.cablecar.at"; dns.query; content:"www.cablecar.at"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.cablecar\.at$/i"; classtype:trojan-activity; sid:4026651; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/54;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e54 [tlp:white] Outgoing HTTP Hostname www.cablecar.at"; flow:to_server,established; http.header; content: "Host|3a| www.cablecar.at"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.cablecar\.at[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026652; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/54;) alert ip $HOME_NET any -> 81.19.145.97 any (msg: "MISP e54 [tlp:white] Outgoing To IP: 81.19.145.97"; classtype:trojan-activity; sid:4026661; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/54;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain catholicsinaliance.org"; dns.query; content:"catholicsinaliance.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])catholicsinaliance\.org$/i"; classtype:trojan-activity; sid:4026691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain catholicsinaliance.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"catholicsinaliance.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])catholicsinaliance\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026692; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain localiser-icloud.com"; dns.query; content:"localiser-icloud.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])localiser\-icloud\.com$/i"; classtype:trojan-activity; sid:4026701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain localiser-icloud.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"localiser-icloud.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])localiser\-icloud\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026702; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain inside-apple-localisation.com"; dns.query; content:"inside-apple-localisation.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])inside\-apple\-localisation\.com$/i"; classtype:trojan-activity; sid:4026711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain inside-apple-localisation.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"inside-apple-localisation.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])inside\-apple\-localisation\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026712; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain inside-localisation-apple.com"; dns.query; content:"inside-localisation-apple.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])inside\-localisation\-apple\.com$/i"; classtype:trojan-activity; sid:4026721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain inside-localisation-apple.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"inside-localisation-apple.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])inside\-localisation\-apple\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026722; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain account-web.de"; dns.query; content:"account-web.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])account\-web\.de$/i"; classtype:trojan-activity; sid:4026731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain account-web.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"account-web.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])account\-web\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026732; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain securityicloudservice.com"; dns.query; content:"securityicloudservice.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])securityicloudservice\.com$/i"; classtype:trojan-activity; sid:4026741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain securityicloudservice.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"securityicloudservice.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])securityicloudservice\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026742; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain bestapplestore.com"; dns.query; content:"bestapplestore.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bestapplestore\.com$/i"; classtype:trojan-activity; sid:4026751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain bestapplestore.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bestapplestore.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bestapplestore\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026752; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain wsjworld.com"; dns.query; content:"wsjworld.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])wsjworld\.com$/i"; classtype:trojan-activity; sid:4026761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain wsjworld.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wsjworld.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wsjworld\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026762; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain worldpoliticsreviews.com"; dns.query; content:"worldpoliticsreviews.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])worldpoliticsreviews\.com$/i"; classtype:trojan-activity; sid:4026771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain worldpoliticsreviews.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"worldpoliticsreviews.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])worldpoliticsreviews\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026772; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain mailhost.university-tartu.info"; dns.query; content:"mailhost.university-tartu.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])mailhost\.university\-tartu\.info$/i"; classtype:trojan-activity; sid:4026781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain mailhost.university-tartu.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mailhost.university-tartu.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mailhost\.university\-tartu\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026782; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain mail.armf.bg.message-id8665213.tk"; dns.query; content:"mail.armf.bg.message-id8665213.tk"; nocase; pcre: "/(^|[^A-Za-z0-9-])mail\.armf\.bg\.message\-id8665213\.tk$/i"; classtype:trojan-activity; sid:4026791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain mail.armf.bg.message-id8665213.tk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mail.armf.bg.message-id8665213.tk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mail\.armf\.bg\.message\-id8665213\.tk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026792; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain setting-mail.ru"; dns.query; content:"setting-mail.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])setting\-mail\.ru$/i"; classtype:trojan-activity; sid:4026801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain setting-mail.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"setting-mail.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])setting\-mail\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026802; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain loqin-yandex.ru"; dns.query; content:"loqin-yandex.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])loqin\-yandex\.ru$/i"; classtype:trojan-activity; sid:4026811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain loqin-yandex.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"loqin-yandex.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])loqin\-yandex\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026812; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain play.gooqle.eu.com"; dns.query; content:"play.gooqle.eu.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])play\.gooqle\.eu\.com$/i"; classtype:trojan-activity; sid:4026821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain play.gooqle.eu.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"play.gooqle.eu.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])play\.gooqle\.eu\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026822; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain eposta.basbakanlik.qov.web.tr"; dns.query; content:"eposta.basbakanlik.qov.web.tr"; nocase; pcre: "/(^|[^A-Za-z0-9-])eposta\.basbakanlik\.qov\.web\.tr$/i"; classtype:trojan-activity; sid:4026831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain eposta.basbakanlik.qov.web.tr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"eposta.basbakanlik.qov.web.tr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])eposta\.basbakanlik\.qov\.web\.tr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026832; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain poczta.mon-gov.pl"; dns.query; content:"poczta.mon-gov.pl"; nocase; pcre: "/(^|[^A-Za-z0-9-])poczta\.mon\-gov\.pl$/i"; classtype:trojan-activity; sid:4026841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain poczta.mon-gov.pl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"poczta.mon-gov.pl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])poczta\.mon\-gov\.pl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026842; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain yahoo.securepassword.info"; dns.query; content:"yahoo.securepassword.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])yahoo\.securepassword\.info$/i"; classtype:trojan-activity; sid:4026851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain yahoo.securepassword.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"yahoo.securepassword.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])yahoo\.securepassword\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026852; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain posta-hurriyet.com"; dns.query; content:"posta-hurriyet.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])posta\-hurriyet\.com$/i"; classtype:trojan-activity; sid:4026861; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain posta-hurriyet.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"posta-hurriyet.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])posta\-hurriyet\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026862; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain tbmm.qov.web.tr"; dns.query; content:"tbmm.qov.web.tr"; nocase; pcre: "/(^|[^A-Za-z0-9-])tbmm\.qov\.web\.tr$/i"; classtype:trojan-activity; sid:4026871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain tbmm.qov.web.tr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tbmm.qov.web.tr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tbmm\.qov\.web\.tr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026872; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain mailhost-ut.ee"; dns.query; content:"mailhost-ut.ee"; nocase; pcre: "/(^|[^A-Za-z0-9-])mailhost\-ut\.ee$/i"; classtype:trojan-activity; sid:4026881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain mailhost-ut.ee"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mailhost-ut.ee"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mailhost\-ut\.ee[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026882; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain privacy-facebook.me"; dns.query; content:"privacy-facebook.me"; nocase; pcre: "/(^|[^A-Za-z0-9-])privacy\-facebook\.me$/i"; classtype:trojan-activity; sid:4026891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain privacy-facebook.me"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"privacy-facebook.me"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])privacy\-facebook\.me[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026892; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain mail-hurriyet.com"; dns.query; content:"mail-hurriyet.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mail\-hurriyet\.com$/i"; classtype:trojan-activity; sid:4026901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain mail-hurriyet.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mail-hurriyet.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mail\-hurriyet\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026902; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain cc-yahoo-inc.org"; dns.query; content:"cc-yahoo-inc.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])cc\-yahoo\-inc\.org$/i"; classtype:trojan-activity; sid:4026911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain cc-yahoo-inc.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cc-yahoo-inc.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cc\-yahoo\-inc\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026912; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain e-post.byegm.web.tr"; dns.query; content:"e-post.byegm.web.tr"; nocase; pcre: "/(^|[^A-Za-z0-9-])e\-post\.byegm\.web\.tr$/i"; classtype:trojan-activity; sid:4026921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain e-post.byegm.web.tr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"e-post.byegm.web.tr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])e\-post\.byegm\.web\.tr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026922; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain marktingvb.ml"; dns.query; content:"marktingvb.ml"; nocase; pcre: "/(^|[^A-Za-z0-9-])marktingvb\.ml$/i"; classtype:trojan-activity; sid:4026931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain marktingvb.ml"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"marktingvb.ml"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])marktingvb\.ml[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026932; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain mail.byegm.web.tr"; dns.query; content:"mail.byegm.web.tr"; nocase; pcre: "/(^|[^A-Za-z0-9-])mail\.byegm\.web\.tr$/i"; classtype:trojan-activity; sid:4026941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain mail.byegm.web.tr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mail.byegm.web.tr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mail\.byegm\.web\.tr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026942; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain mail.mofa.g0v.qa"; dns.query; content:"mail.mofa.g0v.qa"; nocase; pcre: "/(^|[^A-Za-z0-9-])mail\.mofa\.g0v\.qa$/i"; classtype:trojan-activity; sid:4026951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain mail.mofa.g0v.qa"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mail.mofa.g0v.qa"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mail\.mofa\.g0v\.qa[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026952; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain webmail-gov.me"; dns.query; content:"webmail-gov.me"; nocase; pcre: "/(^|[^A-Za-z0-9-])webmail\-gov\.me$/i"; classtype:trojan-activity; sid:4026961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain webmail-gov.me"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"webmail-gov.me"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])webmail\-gov\.me[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026962; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain redirect2app.cf"; dns.query; content:"redirect2app.cf"; nocase; pcre: "/(^|[^A-Za-z0-9-])redirect2app\.cf$/i"; classtype:trojan-activity; sid:4026971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain redirect2app.cf"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"redirect2app.cf"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])redirect2app\.cf[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026972; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain int-live.com"; dns.query; content:"int-live.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])int\-live\.com$/i"; classtype:trojan-activity; sid:4026981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain int-live.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"int-live.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])int\-live\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026982; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain options-mail.ru"; dns.query; content:"options-mail.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])options\-mail\.ru$/i"; classtype:trojan-activity; sid:4026991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain options-mail.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"options-mail.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])options\-mail\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4026992; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain mycloud-mail.ru"; dns.query; content:"mycloud-mail.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])mycloud\-mail\.ru$/i"; classtype:trojan-activity; sid:4027001; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain mycloud-mail.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mycloud-mail.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mycloud\-mail\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4027002; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain mail.g0v.me"; dns.query; content:"mail.g0v.me"; nocase; pcre: "/(^|[^A-Za-z0-9-])mail\.g0v\.me$/i"; classtype:trojan-activity; sid:4027011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain mail.g0v.me"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mail.g0v.me"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mail\.g0v\.me[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4027012; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain mail-navy.ro"; dns.query; content:"mail-navy.ro"; nocase; pcre: "/(^|[^A-Za-z0-9-])mail\-navy\.ro$/i"; classtype:trojan-activity; sid:4027021; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain mail-navy.ro"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mail-navy.ro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mail\-navy\.ro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4027022; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain iraqinews.info"; dns.query; content:"iraqinews.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])iraqinews\.info$/i"; classtype:trojan-activity; sid:4027031; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain iraqinews.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"iraqinews.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])iraqinews\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4027032; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain mail-justus.com.ua"; dns.query; content:"mail-justus.com.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])mail\-justus\.com\.ua$/i"; classtype:trojan-activity; sid:4027041; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain mail-justus.com.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mail-justus.com.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mail\-justus\.com\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4027042; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain reuters-press.com"; dns.query; content:"reuters-press.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])reuters\-press\.com$/i"; classtype:trojan-activity; sid:4027051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain reuters-press.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"reuters-press.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])reuters\-press\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4027052; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain help-yahoo-service.com"; dns.query; content:"help-yahoo-service.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])help\-yahoo\-service\.com$/i"; classtype:trojan-activity; sid:4027061; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain help-yahoo-service.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"help-yahoo-service.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])help\-yahoo\-service\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4027062; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain mail.kuwaitarmy.gov-kw.com"; dns.query; content:"mail.kuwaitarmy.gov-kw.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mail\.kuwaitarmy\.gov\-kw\.com$/i"; classtype:trojan-activity; sid:4027071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain mail.kuwaitarmy.gov-kw.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mail.kuwaitarmy.gov-kw.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mail\.kuwaitarmy\.gov\-kw\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4027072; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain nato-news.com"; dns.query; content:"nato-news.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])nato\-news\.com$/i"; classtype:trojan-activity; sid:4027081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain nato-news.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nato-news.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nato\-news\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4027082; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain webmail.mofa.qov.ae"; dns.query; content:"webmail.mofa.qov.ae"; nocase; pcre: "/(^|[^A-Za-z0-9-])webmail\.mofa\.qov\.ae$/i"; classtype:trojan-activity; sid:4027091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain webmail.mofa.qov.ae"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"webmail.mofa.qov.ae"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])webmail\.mofa\.qov\.ae[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4027092; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain mailmil.ae"; dns.query; content:"mailmil.ae"; nocase; pcre: "/(^|[^A-Za-z0-9-])mailmil\.ae$/i"; classtype:trojan-activity; sid:4027101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain mailmil.ae"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mailmil.ae"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mailmil\.ae[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4027102; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain mail.rsaf.qov.sa.com"; dns.query; content:"mail.rsaf.qov.sa.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mail\.rsaf\.qov\.sa\.com$/i"; classtype:trojan-activity; sid:4027111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain mail.rsaf.qov.sa.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mail.rsaf.qov.sa.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mail\.rsaf\.qov\.sa\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4027112; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain mail.teiecomitalia.it"; dns.query; content:"mail.teiecomitalia.it"; nocase; pcre: "/(^|[^A-Za-z0-9-])mail\.teiecomitalia\.it$/i"; classtype:trojan-activity; sid:4027121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain mail.teiecomitalia.it"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mail.teiecomitalia.it"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mail\.teiecomitalia\.it[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4027122; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain live-settings.com"; dns.query; content:"live-settings.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])live\-settings\.com$/i"; classtype:trojan-activity; sid:4027131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain live-settings.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"live-settings.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])live\-settings\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4027132; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain military-info.eu"; dns.query; content:"military-info.eu"; nocase; pcre: "/(^|[^A-Za-z0-9-])military\-info\.eu$/i"; classtype:trojan-activity; sid:4027141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain military-info.eu"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"military-info.eu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])military\-info\.eu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4027142; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain electronicfrontierfoundation.org"; dns.query; content:"electronicfrontierfoundation.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])electronicfrontierfoundation\.org$/i"; classtype:trojan-activity; sid:4027151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain electronicfrontierfoundation.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"electronicfrontierfoundation.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])electronicfrontierfoundation\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4027152; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain osce-press.com"; dns.query; content:"osce-press.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])osce\-press\.com$/i"; classtype:trojan-activity; sid:4027161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain osce-press.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"osce-press.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])osce\-press\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4027162; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain grab2d.com"; dns.query; content:"grab2d.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])grab2d\.com$/i"; classtype:trojan-activity; sid:4027171; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain grab2d.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"grab2d.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])grab2d\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4027172; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain bit2ly.com"; dns.query; content:"bit2ly.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bit2ly\.com$/i"; classtype:trojan-activity; sid:4027181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain bit2ly.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bit2ly.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bit2ly\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4027182; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain mobile-sanoma.net"; dns.query; content:"mobile-sanoma.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])mobile\-sanoma\.net$/i"; classtype:trojan-activity; sid:4027191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain mobile-sanoma.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mobile-sanoma.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mobile\-sanoma\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4027192; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain euroreport24.com"; dns.query; content:"euroreport24.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])euroreport24\.com$/i"; classtype:trojan-activity; sid:4027201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain euroreport24.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"euroreport24.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])euroreport24\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4027202; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain service-ukr.net"; dns.query; content:"service-ukr.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])service\-ukr\.net$/i"; classtype:trojan-activity; sid:4027211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain service-ukr.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"service-ukr.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])service\-ukr\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4027212; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain rn-mail.ru"; dns.query; content:"rn-mail.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])rn\-mail\.ru$/i"; classtype:trojan-activity; sid:4027231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain rn-mail.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"rn-mail.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])rn\-mail\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4027232; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain eservicesystems.net"; dns.query; content:"eservicesystems.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])eservicesystems\.net$/i"; classtype:trojan-activity; sid:4027241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain eservicesystems.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"eservicesystems.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])eservicesystems\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4027242; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain defensenews.org"; dns.query; content:"defensenews.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])defensenews\.org$/i"; classtype:trojan-activity; sid:4027251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain defensenews.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"defensenews.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])defensenews\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4027252; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain aijazeera.org"; dns.query; content:"aijazeera.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])aijazeera\.org$/i"; classtype:trojan-activity; sid:4027261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain aijazeera.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aijazeera.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aijazeera\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4027262; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain itunes-helper.net"; dns.query; content:"itunes-helper.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])itunes\-helper\.net$/i"; classtype:trojan-activity; sid:4027271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain itunes-helper.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"itunes-helper.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])itunes\-helper\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4027272; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain unbulletin.com"; dns.query; content:"unbulletin.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])unbulletin\.com$/i"; classtype:trojan-activity; sid:4027281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain unbulletin.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"unbulletin.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])unbulletin\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4027282; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain mfagreece.com"; dns.query; content:"mfagreece.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mfagreece\.com$/i"; classtype:trojan-activity; sid:4027291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain mfagreece.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mfagreece.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mfagreece\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4027292; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain osce-info.com"; dns.query; content:"osce-info.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])osce\-info\.com$/i"; classtype:trojan-activity; sid:4027301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain osce-info.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"osce-info.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])osce\-info\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4027302; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain privacy-yahooservice.com"; dns.query; content:"privacy-yahooservice.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])privacy\-yahooservice\.com$/i"; classtype:trojan-activity; sid:4027311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain privacy-yahooservice.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"privacy-yahooservice.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])privacy\-yahooservice\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4027312; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain webmail-mil.gr"; dns.query; content:"webmail-mil.gr"; nocase; pcre: "/(^|[^A-Za-z0-9-])webmail\-mil\.gr$/i"; classtype:trojan-activity; sid:4027321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain webmail-mil.gr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"webmail-mil.gr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])webmail\-mil\.gr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4027322; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e55 [tlp:white] Domain accounts-updated-confirmation.com"; dns.query; content:"accounts-updated-confirmation.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])accounts\-updated\-confirmation\.com$/i"; classtype:trojan-activity; sid:4055181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e55 [tlp:white] Outgoing HTTP Domain accounts-updated-confirmation.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"accounts-updated-confirmation.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])accounts\-updated\-confirmation\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4055182; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/55;) alert dns any any -> any any (msg: "MISP e57 [tlp:white] Hostname zsn5qtrgfpu4tmpg.tor2web.fi"; dns.query; content:"zsn5qtrgfpu4tmpg.tor2web.fi"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])zsn5qtrgfpu4tmpg\.tor2web\.fi$/i"; classtype:trojan-activity; sid:4027401; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e57 [tlp:white] Outgoing HTTP Hostname zsn5qtrgfpu4tmpg.tor2web.fi"; flow:to_server,established; http.header; content: "Host|3a| zsn5qtrgfpu4tmpg.tor2web.fi"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])zsn5qtrgfpu4tmpg\.tor2web\.fi[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4027402; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 194.150.168.74 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 194.150.168.74"; classtype:trojan-activity; sid:4027411; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 154.35.32.5 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 154.35.32.5"; classtype:trojan-activity; sid:4027421; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 86.59.21.38 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 86.59.21.38"; classtype:trojan-activity; sid:4027431; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 148.251.68.100 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 148.251.68.100"; classtype:trojan-activity; sid:4027441; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 188.165.26.13 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 188.165.26.13"; classtype:trojan-activity; sid:4027451; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 51.254.215.13 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 51.254.215.13"; classtype:trojan-activity; sid:4027461; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 163.172.7.30 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 163.172.7.30"; classtype:trojan-activity; sid:4027471; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 212.51.159.86 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 212.51.159.86"; classtype:trojan-activity; sid:4027481; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 5.135.159.110 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 5.135.159.110"; classtype:trojan-activity; sid:4027491; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 5.61.34.63 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 5.61.34.63"; classtype:trojan-activity; sid:4027501; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 5.175.233.86 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 5.175.233.86"; classtype:trojan-activity; sid:4027511; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 78.192.241.75 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 78.192.241.75"; classtype:trojan-activity; sid:4027521; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 212.51.128.44 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 212.51.128.44"; classtype:trojan-activity; sid:4027531; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 217.103.164.150 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 217.103.164.150"; classtype:trojan-activity; sid:4027541; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 62.210.206.25 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 62.210.206.25"; classtype:trojan-activity; sid:4027551; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 46.252.25.249 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 46.252.25.249"; classtype:trojan-activity; sid:4027561; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 37.230.119.37 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 37.230.119.37"; classtype:trojan-activity; sid:4027571; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 74.102.93.231 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 74.102.93.231"; classtype:trojan-activity; sid:4027581; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 89.163.235.163 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 89.163.235.163"; classtype:trojan-activity; sid:4027591; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 62.138.2.184 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 62.138.2.184"; classtype:trojan-activity; sid:4027601; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 80.198.105.184 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 80.198.105.184"; classtype:trojan-activity; sid:4027611; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 136.243.214.137 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 136.243.214.137"; classtype:trojan-activity; sid:4027621; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 217.79.179.177 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 217.79.179.177"; classtype:trojan-activity; sid:4027631; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 104.233.89.76 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 104.233.89.76"; classtype:trojan-activity; sid:4027641; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 198.27.119.92 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 198.27.119.92"; classtype:trojan-activity; sid:4027651; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 212.47.239.83 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 212.47.239.83"; classtype:trojan-activity; sid:4027661; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 78.85.219.41 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 78.85.219.41"; classtype:trojan-activity; sid:4027671; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 178.63.140.246 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 178.63.140.246"; classtype:trojan-activity; sid:4027681; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 213.136.81.89 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 213.136.81.89"; classtype:trojan-activity; sid:4027691; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 87.98.162.251 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 87.98.162.251"; classtype:trojan-activity; sid:4027701; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 80.100.250.244 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 80.100.250.244"; classtype:trojan-activity; sid:4027711; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 212.47.229.138 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 212.47.229.138"; classtype:trojan-activity; sid:4027721; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 163.172.133.36 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 163.172.133.36"; classtype:trojan-activity; sid:4027731; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 38.229.70.51 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 38.229.70.51"; classtype:trojan-activity; sid:4027741; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 51.255.198.77 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 51.255.198.77"; classtype:trojan-activity; sid:4027751; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 51.255.235.246 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 51.255.235.246"; classtype:trojan-activity; sid:4027761; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 217.160.126.50 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 217.160.126.50"; classtype:trojan-activity; sid:4027771; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 195.154.91.139 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 195.154.91.139"; classtype:trojan-activity; sid:4027781; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 18.181.5.37 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 18.181.5.37"; classtype:trojan-activity; sid:4027791; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 185.86.107.131 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 185.86.107.131"; classtype:trojan-activity; sid:4027801; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 64.237.51.46 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 64.237.51.46"; classtype:trojan-activity; sid:4027811; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 67.227.198.183 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 67.227.198.183"; classtype:trojan-activity; sid:4027821; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 193.11.164.243 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 193.11.164.243"; classtype:trojan-activity; sid:4027831; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 163.172.27.62 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 163.172.27.62"; classtype:trojan-activity; sid:4027841; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 188.40.51.232 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 188.40.51.232"; classtype:trojan-activity; sid:4027851; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 87.118.114.134 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 87.118.114.134"; classtype:trojan-activity; sid:4027861; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 85.214.151.72 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 85.214.151.72"; classtype:trojan-activity; sid:4027871; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 37.187.18.109 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 37.187.18.109"; classtype:trojan-activity; sid:4027881; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 38.229.70.61 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 38.229.70.61"; classtype:trojan-activity; sid:4027891; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 178.254.40.5 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 178.254.40.5"; classtype:trojan-activity; sid:4027901; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 144.2.118.84 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 144.2.118.84"; classtype:trojan-activity; sid:4027911; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 192.42.113.102 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 192.42.113.102"; classtype:trojan-activity; sid:4027921; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 77.66.12.185 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 77.66.12.185"; classtype:trojan-activity; sid:4027931; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 136.243.209.52 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 136.243.209.52"; classtype:trojan-activity; sid:4027941; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 178.62.199.226 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 178.62.199.226"; classtype:trojan-activity; sid:4027951; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 136.243.187.165 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 136.243.187.165"; classtype:trojan-activity; sid:4027961; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 149.202.49.87 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 149.202.49.87"; classtype:trojan-activity; sid:4027971; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 46.38.48.225 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 46.38.48.225"; classtype:trojan-activity; sid:4027981; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 83.162.202.182 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 83.162.202.182"; classtype:trojan-activity; sid:4027991; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 51.254.138.246 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 51.254.138.246"; classtype:trojan-activity; sid:4028001; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 178.254.2.89 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 178.254.2.89"; classtype:trojan-activity; sid:4028011; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 79.120.10.98 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 79.120.10.98"; classtype:trojan-activity; sid:4028021; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 81.28.197.126 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 81.28.197.126"; classtype:trojan-activity; sid:4028031; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 51.255.41.91 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 51.255.41.91"; classtype:trojan-activity; sid:4028041; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 146.71.104.123 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 146.71.104.123"; classtype:trojan-activity; sid:4028051; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 212.47.237.95 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 212.47.237.95"; classtype:trojan-activity; sid:4028061; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 95.211.216.9 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 95.211.216.9"; classtype:trojan-activity; sid:4028071; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 62.210.82.44 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 62.210.82.44"; classtype:trojan-activity; sid:4028081; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 176.9.50.119 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 176.9.50.119"; classtype:trojan-activity; sid:4028091; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 208.80.154.39 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 208.80.154.39"; classtype:trojan-activity; sid:4028101; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 195.154.251.25 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 195.154.251.25"; classtype:trojan-activity; sid:4028111; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 163.172.35.115 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 163.172.35.115"; classtype:trojan-activity; sid:4028121; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 46.28.207.19 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 46.28.207.19"; classtype:trojan-activity; sid:4028131; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 188.165.0.171 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 188.165.0.171"; classtype:trojan-activity; sid:4028141; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 212.51.156.173 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 212.51.156.173"; classtype:trojan-activity; sid:4028151; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 163.172.135.172 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 163.172.135.172"; classtype:trojan-activity; sid:4028161; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 188.166.37.108 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 188.166.37.108"; classtype:trojan-activity; sid:4028171; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 95.65.95.61 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 95.65.95.61"; classtype:trojan-activity; sid:4028181; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 46.4.0.156 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 46.4.0.156"; classtype:trojan-activity; sid:4028191; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 178.254.13.126 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 178.254.13.126"; classtype:trojan-activity; sid:4028201; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 145.220.0.15 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 145.220.0.15"; classtype:trojan-activity; sid:4028211; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 134.19.177.109 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 134.19.177.109"; classtype:trojan-activity; sid:4028221; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 217.12.210.207 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 217.12.210.207"; classtype:trojan-activity; sid:4028231; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 62.210.108.23 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 62.210.108.23"; classtype:trojan-activity; sid:4028241; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 188.166.35.67 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 188.166.35.67"; classtype:trojan-activity; sid:4028251; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 163.172.35.247 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 163.172.35.247"; classtype:trojan-activity; sid:4028261; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 178.62.93.36 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 178.62.93.36"; classtype:trojan-activity; sid:4028271; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 88.198.192.156 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 88.198.192.156"; classtype:trojan-activity; sid:4028281; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 80.90.56.144 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 80.90.56.144"; classtype:trojan-activity; sid:4028291; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 130.193.15.186 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 130.193.15.186"; classtype:trojan-activity; sid:4028301; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 185.100.84.175 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 185.100.84.175"; classtype:trojan-activity; sid:4028311; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 81.7.16.31 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 81.7.16.31"; classtype:trojan-activity; sid:4028321; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 178.32.44.157 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 178.32.44.157"; classtype:trojan-activity; sid:4028331; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 141.0.21.242 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 141.0.21.242"; classtype:trojan-activity; sid:4028341; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 5.104.106.38 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 5.104.106.38"; classtype:trojan-activity; sid:4028351; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 109.120.180.245 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 109.120.180.245"; classtype:trojan-activity; sid:4028361; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 62.210.138.3 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 62.210.138.3"; classtype:trojan-activity; sid:4028371; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 185.82.21.188 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 185.82.21.188"; classtype:trojan-activity; sid:4028381; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 213.163.70.234 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 213.163.70.234"; classtype:trojan-activity; sid:4028391; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 193.11.114.43 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 193.11.114.43"; classtype:trojan-activity; sid:4028401; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 46.101.9.51 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 46.101.9.51"; classtype:trojan-activity; sid:4028411; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 209.222.8.196 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 209.222.8.196"; classtype:trojan-activity; sid:4028421; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 62.113.216.173 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 62.113.216.173"; classtype:trojan-activity; sid:4028431; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 130.185.133.10 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 130.185.133.10"; classtype:trojan-activity; sid:4028441; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 217.12.210.214 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 217.12.210.214"; classtype:trojan-activity; sid:4028451; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 176.158.132.12 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 176.158.132.12"; classtype:trojan-activity; sid:4028461; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 195.154.164.243 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 195.154.164.243"; classtype:trojan-activity; sid:4028471; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 134.119.36.135 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 134.119.36.135"; classtype:trojan-activity; sid:4028481; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 38.229.79.2 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 38.229.79.2"; classtype:trojan-activity; sid:4028491; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 188.166.133.133 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 188.166.133.133"; classtype:trojan-activity; sid:4028501; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 185.60.146.221 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 185.60.146.221"; classtype:trojan-activity; sid:4028511; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 83.85.252.55 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 83.85.252.55"; classtype:trojan-activity; sid:4028521; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 62.210.92.11 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 62.210.92.11"; classtype:trojan-activity; sid:4028531; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 83.218.134.237 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 83.218.134.237"; classtype:trojan-activity; sid:4028541; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 89.163.209.233 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 89.163.209.233"; classtype:trojan-activity; sid:4028551; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 109.126.13.110 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 109.126.13.110"; classtype:trojan-activity; sid:4028561; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 46.101.220.161 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 46.101.220.161"; classtype:trojan-activity; sid:4028571; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 62.210.198.108 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 62.210.198.108"; classtype:trojan-activity; sid:4028581; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 213.239.216.222 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 213.239.216.222"; classtype:trojan-activity; sid:4028591; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 167.114.237.140 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 167.114.237.140"; classtype:trojan-activity; sid:4028601; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 46.23.70.195 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 46.23.70.195"; classtype:trojan-activity; sid:4028611; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 5.199.129.129 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 5.199.129.129"; classtype:trojan-activity; sid:4028621; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 151.236.14.149 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 151.236.14.149"; classtype:trojan-activity; sid:4028631; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 94.242.58.51 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 94.242.58.51"; classtype:trojan-activity; sid:4028641; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 192.87.28.82 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 192.87.28.82"; classtype:trojan-activity; sid:4028651; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 148.251.100.168 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 148.251.100.168"; classtype:trojan-activity; sid:4028661; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 195.154.73.212 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 195.154.73.212"; classtype:trojan-activity; sid:4028671; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 51.254.215.129 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 51.254.215.129"; classtype:trojan-activity; sid:4028681; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 192.42.116.161 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 192.42.116.161"; classtype:trojan-activity; sid:4028691; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 95.141.83.146 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 95.141.83.146"; classtype:trojan-activity; sid:4028701; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 148.251.190.229 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 148.251.190.229"; classtype:trojan-activity; sid:4028711; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 91.121.195.169 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 91.121.195.169"; classtype:trojan-activity; sid:4028721; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 188.226.200.216 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 188.226.200.216"; classtype:trojan-activity; sid:4028731; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 185.32.160.22 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 185.32.160.22"; classtype:trojan-activity; sid:4028741; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 188.40.109.146 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 188.40.109.146"; classtype:trojan-activity; sid:4028751; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 23.254.166.222 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 23.254.166.222"; classtype:trojan-activity; sid:4028761; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 62.210.124.124 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 62.210.124.124"; classtype:trojan-activity; sid:4028771; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 92.222.204.96 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 92.222.204.96"; classtype:trojan-activity; sid:4028781; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 212.129.42.9 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 212.129.42.9"; classtype:trojan-activity; sid:4028791; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 158.58.170.27 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 158.58.170.27"; classtype:trojan-activity; sid:4028801; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 82.223.21.74 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 82.223.21.74"; classtype:trojan-activity; sid:4028811; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 217.79.178.60 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 217.79.178.60"; classtype:trojan-activity; sid:4028821; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 109.104.12.92 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 109.104.12.92"; classtype:trojan-activity; sid:4028831; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 162.243.119.52 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 162.243.119.52"; classtype:trojan-activity; sid:4028841; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 81.173.240.81 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 81.173.240.81"; classtype:trojan-activity; sid:4028851; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 91.121.23.100 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 91.121.23.100"; classtype:trojan-activity; sid:4028861; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 195.154.42.18 any (msg: "MISP e57 [tlp:white] Outgoing To IP: 195.154.42.18"; classtype:trojan-activity; sid:4028871; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/57;) alert ip $HOME_NET any -> 54.175.208.187 any (msg: "MISP e58 [tlp:white] Outgoing To IP: 54.175.208.187"; classtype:trojan-activity; sid:4028961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/58;) alert ip $HOME_NET any -> 23.22.38.222 any (msg: "MISP e58 [tlp:white] Outgoing To IP: 23.22.38.222"; classtype:trojan-activity; sid:4028971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/58;) alert dns any any -> any any (msg: "MISP e58 [tlp:white] Domain disk-fulldatabase.rhcloud.com"; dns.query; content:"disk-fulldatabase.rhcloud.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])disk\-fulldatabase\.rhcloud\.com$/i"; classtype:trojan-activity; sid:4028981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/58;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e58 [tlp:white] Outgoing HTTP Domain disk-fulldatabase.rhcloud.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"disk-fulldatabase.rhcloud.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])disk\-fulldatabase\.rhcloud\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4028982; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/58;) alert dns any any -> any any (msg: "MISP e58 [tlp:white] Domain wallejob.in.ua"; dns.query; content:"wallejob.in.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])wallejob\.in\.ua$/i"; classtype:trojan-activity; sid:4028991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/58;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e58 [tlp:white] Outgoing HTTP Domain wallejob.in.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wallejob.in.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wallejob\.in\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4028992; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/58;) alert ip $HOME_NET any -> 185.68.16.35 any (msg: "MISP e58 [tlp:white] Outgoing To IP: 185.68.16.35"; classtype:trojan-activity; sid:4029001; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/58;) alert dns any any -> any any (msg: "MISP e58 [tlp:white] Domain wallex.ho.ua"; dns.query; content:"wallex.ho.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])wallex\.ho\.ua$/i"; classtype:trojan-activity; sid:4029011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/58;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e58 [tlp:white] Outgoing HTTP Domain wallex.ho.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wallex.ho.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wallex\.ho\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4029012; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/58;) alert ip $HOME_NET any -> 91.228.146.13 any (msg: "MISP e58 [tlp:white] Outgoing To IP: 91.228.146.13"; classtype:trojan-activity; sid:4029021; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/58;) alert dns any any -> any any (msg: "MISP e58 [tlp:white] Domain gils.ho.ua"; dns.query; content:"gils.ho.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])gils\.ho\.ua$/i"; classtype:trojan-activity; sid:4029031; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/58;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e58 [tlp:white] Outgoing HTTP Domain gils.ho.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gils.ho.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gils\.ho\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4029032; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/58;) alert ip $HOME_NET any -> 91.228.146.12 any (msg: "MISP e58 [tlp:white] Outgoing To IP: 91.228.146.12"; classtype:trojan-activity; sid:4029041; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/58;) alert dns any any -> any any (msg: "MISP e58 [tlp:white] Domain literat.ho.ua"; dns.query; content:"literat.ho.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])literat\.ho\.ua$/i"; classtype:trojan-activity; sid:4029051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/58;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e58 [tlp:white] Outgoing HTTP Domain literat.ho.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"literat.ho.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])literat\.ho\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4029052; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/58;) alert dns any any -> any any (msg: "MISP e58 [tlp:white] Domain lefting.org"; dns.query; content:"lefting.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])lefting\.org$/i"; classtype:trojan-activity; sid:4029061; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/58;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e58 [tlp:white] Outgoing HTTP Domain lefting.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lefting.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lefting\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4029062; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/58;) alert ip $HOME_NET any -> 91.228.146.11 any (msg: "MISP e58 [tlp:white] Outgoing To IP: 91.228.146.11"; classtype:trojan-activity; sid:4029071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/58;) alert dns any any -> any any (msg: "MISP e58 [tlp:white] Domain celebrat.net"; dns.query; content:"celebrat.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])celebrat\.net$/i"; classtype:trojan-activity; sid:4029081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/58;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e58 [tlp:white] Outgoing HTTP Domain celebrat.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"celebrat.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])celebrat\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4029082; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/58;) alert dns any any -> any any (msg: "MISP e58 [tlp:white] Domain bolepaund.com"; dns.query; content:"bolepaund.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bolepaund\.com$/i"; classtype:trojan-activity; sid:4029091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/58;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e58 [tlp:white] Outgoing HTTP Domain bolepaund.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bolepaund.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bolepaund\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4029092; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/58;) alert ip $HOME_NET any -> 85.93.0.33 any (msg: "MISP e59 [tlp:white] Outgoing To IP: 85.93.0.33"; classtype:trojan-activity; sid:4029431; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/59;) alert dns any any -> any any (msg: "MISP e59 [tlp:white] Domain true.imwright.co.uk"; dns.query; content:"true.imwright.co.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-])true\.imwright\.co\.uk$/i"; classtype:trojan-activity; sid:4029441; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/59;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e59 [tlp:white] Outgoing HTTP Domain true.imwright.co.uk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"true.imwright.co.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])true\.imwright\.co\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4029442; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/59;) alert ip $HOME_NET any -> 104.238.185.187 any (msg: "MISP e59 [tlp:white] Outgoing To IP: 104.238.185.187"; classtype:trojan-activity; sid:4029451; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/59;) alert ip $HOME_NET any -> 185.117.75.219 any (msg: "MISP e59 [tlp:white] Outgoing To IP: 185.117.75.219"; classtype:trojan-activity; sid:4029461; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/59;) alert ip $HOME_NET any -> 89.32.40.220 any (msg: "MISP e59 [tlp:white] Outgoing To IP: 89.32.40.220"; classtype:trojan-activity; sid:4029471; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/59;) alert dns any any -> any any (msg: "MISP e59 [tlp:white] Domain aktualizacje24.com"; dns.query; content:"aktualizacje24.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])aktualizacje24\.com$/i"; classtype:trojan-activity; sid:4029481; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/59;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e59 [tlp:white] Outgoing HTTP Domain aktualizacje24.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aktualizacje24.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aktualizacje24\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4029482; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/59;) alert dns any any -> any any (msg: "MISP e59 [tlp:white] Domain ubezpiecztransakcje.com"; dns.query; content:"ubezpiecztransakcje.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ubezpiecztransakcje\.com$/i"; classtype:trojan-activity; sid:4029491; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/59;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e59 [tlp:white] Outgoing HTTP Domain ubezpiecztransakcje.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ubezpiecztransakcje.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ubezpiecztransakcje\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4029492; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/59;) alert ip $HOME_NET any -> 95.183.52.215 any (msg: "MISP e59 [tlp:white] Outgoing To IP: 95.183.52.215"; classtype:trojan-activity; sid:4029501; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/59;) alert dns any any -> any any (msg: "MISP e59 [tlp:white] Domain aktualizacje240.pl"; dns.query; content:"aktualizacje240.pl"; nocase; pcre: "/(^|[^A-Za-z0-9-])aktualizacje240\.pl$/i"; classtype:trojan-activity; sid:4029511; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/59;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e59 [tlp:white] Outgoing HTTP Domain aktualizacje240.pl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aktualizacje240.pl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aktualizacje240\.pl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4029512; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/59;) alert dns any any -> any any (msg: "MISP e59 [tlp:white] Domain ndczaqefc.anein.top"; dns.query; content:"ndczaqefc.anein.top"; nocase; pcre: "/(^|[^A-Za-z0-9-])ndczaqefc\.anein\.top$/i"; classtype:trojan-activity; sid:4029521; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/59;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e59 [tlp:white] Outgoing HTTP Domain ndczaqefc.anein.top"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ndczaqefc.anein.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ndczaqefc\.anein\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4029522; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/59;) alert dns any any -> any any (msg: "MISP e59 [tlp:white] Domain kmgb0.yle6to.top"; dns.query; content:"kmgb0.yle6to.top"; nocase; pcre: "/(^|[^A-Za-z0-9-])kmgb0\.yle6to\.top$/i"; classtype:trojan-activity; sid:4029531; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/59;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e59 [tlp:white] Outgoing HTTP Domain kmgb0.yle6to.top"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kmgb0.yle6to.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kmgb0\.yle6to\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4029532; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/59;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e60 [tlp:white] Outgoing URL airmax2015.leadingineurope.eu/wp-content/gallery/"; flow:to_server,established; http.uri; content:"airmax2015.leadingineurope.eu/wp-content/gallery/"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4029561; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/60;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e60 [tlp:white] Outgoing URL bestattung-eckl.at/typo3temp/wizard.php"; flow:to_server,established; http.uri; content:"bestattung-eckl.at/typo3temp/wizard.php"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4029571; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/60;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e60 [tlp:white] Outgoing URL buendnis-depression.at/typo3temp/ajaxify-rss.php"; flow:to_server,established; http.uri; content:"buendnis-depression.at/typo3temp/ajaxify-rss.php"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4029581; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/60;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e60 [tlp:white] Outgoing URL deutschland-feuerwerk.de/fileadmin/dekoservice/rosefeed.php"; flow:to_server,established; http.uri; content:"deutschland-feuerwerk.de/fileadmin/dekoservice/rosefeed.php"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4029591; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/60;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e60 [tlp:white] Outgoing URL digitallaut.at/typo3temp/viewpage.php"; flow:to_server,established; http.uri; content:"digitallaut.at/typo3temp/viewpage.php"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4029601; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/60;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e60 [tlp:white] Outgoing URL florida4lottery.com/wp-content/languages/index.php"; flow:to_server,established; http.uri; content:"florida4lottery.com/wp-content/languages/index.php"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4029611; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/60;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e60 [tlp:white] Outgoing URL porkandmeadmag.com/wp-content/gallery/"; flow:to_server,established; http.uri; content:"porkandmeadmag.com/wp-content/gallery/"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4029621; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/60;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e60 [tlp:white] Outgoing URL salenames.cn/wp-includes/pomo/js/"; flow:to_server,established; http.uri; content:"salenames.cn/wp-includes/pomo/js/"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4029631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/60;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e60 [tlp:white] Outgoing URL shdv.de/fileadmin/shdv/Pressemappe/presserss.php"; flow:to_server,established; http.uri; content:"shdv.de/fileadmin/shdv/Pressemappe/presserss.php"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4029641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/60;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e60 [tlp:white] Outgoing URL smartrip-israel.com/wp-content/gallery/about.php"; flow:to_server,established; http.uri; content:"smartrip-israel.com/wp-content/gallery/about.php"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4029651; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/60;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e60 [tlp:white] Outgoing URL woo.dev.ideefix.net/wp-content/info/"; flow:to_server,established; http.uri; content:"woo.dev.ideefix.net/wp-content/info/"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4029661; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/60;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e60 [tlp:white] Outgoing URL www.asilocavalsassi.it/media/index.php"; flow:to_server,established; http.uri; content:"www.asilocavalsassi.it/media/index.php"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4029671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/60;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e60 [tlp:white] Outgoing URL www.ljudochbild.se/wp-includes/category/"; flow:to_server,established; http.uri; content:"www.ljudochbild.se/wp-includes/category/"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4029681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/60;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e60 [tlp:white] Outgoing URL www.millhavenplace.co.uk/wp-content/gallery/index.php"; flow:to_server,established; http.uri; content:"www.millhavenplace.co.uk/wp-content/gallery/index.php"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4029691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/60;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e60 [tlp:white] Outgoing URL www.jagdhornschule.ch/typo3temp/rss-feed.php"; flow:to_server,established; http.uri; content:"www.jagdhornschule.ch/typo3temp/rss-feed.php"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4029701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/60;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e61 [tlp:white] Source Email Address: make_a_wish@mail.ru"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"make_a_wish@mail.ru"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4029831; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/61;) alert ip $HOME_NET any -> 37.1.207.80 any (msg: "MISP e61 [tlp:white] Outgoing To IP: 37.1.207.80"; classtype:trojan-activity; sid:4029841; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/61;) alert ip $HOME_NET any -> 5.61.37.239 any (msg: "MISP e61 [tlp:white] Outgoing To IP: 5.61.37.239"; classtype:trojan-activity; sid:4029851; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/61;) alert ip $HOME_NET any -> 5.61.38.34 any (msg: "MISP e61 [tlp:white] Outgoing To IP: 5.61.38.34"; classtype:trojan-activity; sid:4029861; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/61;) alert ip $HOME_NET any -> 5.61.38.33 any (msg: "MISP e61 [tlp:white] Outgoing To IP: 5.61.38.33"; classtype:trojan-activity; sid:4029871; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/61;) alert ip $HOME_NET any -> 5.61.38.32 any (msg: "MISP e61 [tlp:white] Outgoing To IP: 5.61.38.32"; classtype:trojan-activity; sid:4029881; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/61;) alert ip $HOME_NET any -> 5.61.38.31 any (msg: "MISP e61 [tlp:white] Outgoing To IP: 5.61.38.31"; classtype:trojan-activity; sid:4029891; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/61;) alert ip $HOME_NET any -> 5.61.38.30 any (msg: "MISP e61 [tlp:white] Outgoing To IP: 5.61.38.30"; classtype:trojan-activity; sid:4029901; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/61;) alert ip $HOME_NET any -> 82.192.91.11 any (msg: "MISP e61 [tlp:white] Outgoing To IP: 82.192.91.11"; classtype:trojan-activity; sid:4029911; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/61;) alert ip $HOME_NET any -> 95.211.22.199 any (msg: "MISP e61 [tlp:white] Outgoing To IP: 95.211.22.199"; classtype:trojan-activity; sid:4029921; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/61;) alert ip $HOME_NET any -> 95.211.58.238 any (msg: "MISP e61 [tlp:white] Outgoing To IP: 95.211.58.238"; classtype:trojan-activity; sid:4029931; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/61;) alert ip $HOME_NET any -> 45.32.183.118 any (msg: "MISP e63 [tlp:white] Outgoing To IP: 45.32.183.118"; classtype:trojan-activity; sid:4029981; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/63;) alert ip $HOME_NET any -> 85.93.0.72 any (msg: "MISP e63 [tlp:white] Outgoing To IP: 85.93.0.72"; classtype:trojan-activity; sid:4029991; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/63;) alert ip $HOME_NET any -> 188.0.236.7 any (msg: "MISP e63 [tlp:white] Outgoing To IP: 188.0.236.7"; classtype:trojan-activity; sid:4030001; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/63;) alert dns any any -> any any (msg: "MISP e63 [tlp:white] Hostname ktljl.g3alead.top"; dns.query; content:"ktljl.g3alead.top"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ktljl\.g3alead\.top$/i"; classtype:trojan-activity; sid:4030011; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/63;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e63 [tlp:white] Outgoing HTTP Hostname ktljl.g3alead.top"; flow:to_server,established; http.header; content: "Host|3a| ktljl.g3alead.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ktljl\.g3alead\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030012; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/63;) alert dns any any -> any any (msg: "MISP e63 [tlp:white] Hostname nulesz.tk"; dns.query; content:"nulesz.tk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])nulesz\.tk$/i"; classtype:trojan-activity; sid:4030021; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/63;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e63 [tlp:white] Outgoing HTTP Hostname nulesz.tk"; flow:to_server,established; http.header; content: "Host|3a| nulesz.tk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])nulesz\.tk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030022; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/63;) alert dns any any -> any any (msg: "MISP e63 [tlp:white] Hostname vnogjnbaf.c0ecompare.top"; dns.query; content:"vnogjnbaf.c0ecompare.top"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])vnogjnbaf\.c0ecompare\.top$/i"; classtype:trojan-activity; sid:4030031; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/63;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e63 [tlp:white] Outgoing HTTP Hostname vnogjnbaf.c0ecompare.top"; flow:to_server,established; http.header; content: "Host|3a| vnogjnbaf.c0ecompare.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])vnogjnbaf\.c0ecompare\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030032; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/63;) alert dns any any -> any any (msg: "MISP e63 [tlp:white] Hostname zijkhhcsrd.c0ecompare.top"; dns.query; content:"zijkhhcsrd.c0ecompare.top"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])zijkhhcsrd\.c0ecompare\.top$/i"; classtype:trojan-activity; sid:4030041; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/63;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e63 [tlp:white] Outgoing HTTP Hostname zijkhhcsrd.c0ecompare.top"; flow:to_server,established; http.header; content: "Host|3a| zijkhhcsrd.c0ecompare.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])zijkhhcsrd\.c0ecompare\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030042; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/63;) alert dns any any -> any any (msg: "MISP e64 [tlp:white] Domain big4u.org"; dns.query; content:"big4u.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])big4u\.org$/i"; classtype:trojan-activity; sid:4030071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e64 [tlp:white] Outgoing HTTP Domain big4u.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"big4u.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])big4u\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030072; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert dns any any -> any any (msg: "MISP e64 [tlp:white] Domain bootfun.info"; dns.query; content:"bootfun.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])bootfun\.info$/i"; classtype:trojan-activity; sid:4030081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e64 [tlp:white] Outgoing HTTP Domain bootfun.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bootfun.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bootfun\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030082; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert dns any any -> any any (msg: "MISP e64 [tlp:white] Domain deris.info"; dns.query; content:"deris.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])deris\.info$/i"; classtype:trojan-activity; sid:4030091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e64 [tlp:white] Outgoing HTTP Domain deris.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"deris.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])deris\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030092; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert dns any any -> any any (msg: "MISP e64 [tlp:white] Domain fasilmy.info"; dns.query; content:"fasilmy.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])fasilmy\.info$/i"; classtype:trojan-activity; sid:4030101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e64 [tlp:white] Outgoing HTTP Domain fasilmy.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fasilmy.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fasilmy\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030102; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert dns any any -> any any (msg: "MISP e64 [tlp:white] Domain heato.info"; dns.query; content:"heato.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])heato\.info$/i"; classtype:trojan-activity; sid:4030111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e64 [tlp:white] Outgoing HTTP Domain heato.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"heato.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])heato\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030112; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert dns any any -> any any (msg: "MISP e64 [tlp:white] Domain legco.info"; dns.query; content:"legco.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])legco\.info$/i"; classtype:trojan-activity; sid:4030121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e64 [tlp:white] Outgoing HTTP Domain legco.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"legco.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])legco\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030122; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert dns any any -> any any (msg: "MISP e64 [tlp:white] Domain likerut.info"; dns.query; content:"likerut.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])likerut\.info$/i"; classtype:trojan-activity; sid:4030131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e64 [tlp:white] Outgoing HTTP Domain likerut.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"likerut.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])likerut\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030132; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert dns any any -> any any (msg: "MISP e64 [tlp:white] Domain listcool.info"; dns.query; content:"listcool.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])listcool\.info$/i"; classtype:trojan-activity; sid:4030141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e64 [tlp:white] Outgoing HTTP Domain listcool.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"listcool.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])listcool\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030142; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert dns any any -> any any (msg: "MISP e64 [tlp:white] Domain monoset.info"; dns.query; content:"monoset.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])monoset\.info$/i"; classtype:trojan-activity; sid:4030151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e64 [tlp:white] Outgoing HTTP Domain monoset.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"monoset.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])monoset\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030152; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert dns any any -> any any (msg: "MISP e64 [tlp:white] Domain moonas.info"; dns.query; content:"moonas.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])moonas\.info$/i"; classtype:trojan-activity; sid:4030161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e64 [tlp:white] Outgoing HTTP Domain moonas.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"moonas.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])moonas\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030162; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert dns any any -> any any (msg: "MISP e64 [tlp:white] Domain ough.info"; dns.query; content:"ough.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])ough\.info$/i"; classtype:trojan-activity; sid:4030171; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e64 [tlp:white] Outgoing HTTP Domain ough.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ough.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ough\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030172; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert dns any any -> any any (msg: "MISP e64 [tlp:white] Domain paneljob.info"; dns.query; content:"paneljob.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])paneljob\.info$/i"; classtype:trojan-activity; sid:4030181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e64 [tlp:white] Outgoing HTTP Domain paneljob.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"paneljob.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])paneljob\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030182; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert dns any any -> any any (msg: "MISP e64 [tlp:white] Domain realget.info"; dns.query; content:"realget.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])realget\.info$/i"; classtype:trojan-activity; sid:4030191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e64 [tlp:white] Outgoing HTTP Domain realget.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"realget.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])realget\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030192; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert dns any any -> any any (msg: "MISP e64 [tlp:white] Domain safesuns.info"; dns.query; content:"safesuns.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])safesuns\.info$/i"; classtype:trojan-activity; sid:4030201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e64 [tlp:white] Outgoing HTTP Domain safesuns.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"safesuns.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])safesuns\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030202; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert dns any any -> any any (msg: "MISP e64 [tlp:white] Domain sportnew.net"; dns.query; content:"sportnew.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])sportnew\.net$/i"; classtype:trojan-activity; sid:4030211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e64 [tlp:white] Outgoing HTTP Domain sportnew.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sportnew.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sportnew\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030212; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert dns any any -> any any (msg: "MISP e64 [tlp:white] Domain theget.biz"; dns.query; content:"theget.biz"; nocase; pcre: "/(^|[^A-Za-z0-9-])theget\.biz$/i"; classtype:trojan-activity; sid:4030221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e64 [tlp:white] Outgoing HTTP Domain theget.biz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"theget.biz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])theget\.biz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030222; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert dns any any -> any any (msg: "MISP e64 [tlp:white] Domain ukjobmy.com"; dns.query; content:"ukjobmy.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ukjobmy\.com$/i"; classtype:trojan-activity; sid:4030231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e64 [tlp:white] Outgoing HTTP Domain ukjobmy.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ukjobmy.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ukjobmy\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030232; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert dns any any -> any any (msg: "MISP e64 [tlp:white] Domain usafun.info"; dns.query; content:"usafun.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])usafun\.info$/i"; classtype:trojan-activity; sid:4030241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e64 [tlp:white] Outgoing HTTP Domain usafun.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"usafun.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])usafun\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030242; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert dns any any -> any any (msg: "MISP e64 [tlp:white] Domain yelts.net"; dns.query; content:"yelts.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])yelts\.net$/i"; classtype:trojan-activity; sid:4030251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e64 [tlp:white] Outgoing HTTP Domain yelts.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"yelts.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])yelts\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030252; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/64;) alert dns any any -> any any (msg: "MISP e65 [tlp:white] Domain munimonoce.com"; dns.query; content:"munimonoce.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])munimonoce\.com$/i"; classtype:trojan-activity; sid:4030371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/65;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e65 [tlp:white] Outgoing HTTP Domain munimonoce.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"munimonoce.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])munimonoce\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030372; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/65;) alert dns any any -> any any (msg: "MISP e65 [tlp:white] Domain wscapi.com"; dns.query; content:"wscapi.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])wscapi\.com$/i"; classtype:trojan-activity; sid:4030381; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/65;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e65 [tlp:white] Outgoing HTTP Domain wscapi.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wscapi.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wscapi\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030382; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/65;) alert dns any any -> any any (msg: "MISP e65 [tlp:white] Domain tabsync.net"; dns.query; content:"tabsync.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])tabsync\.net$/i"; classtype:trojan-activity; sid:4030391; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/65;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e65 [tlp:white] Outgoing HTTP Domain tabsync.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tabsync.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tabsync\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030392; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/65;) alert dns any any -> any any (msg: "MISP e65 [tlp:white] Domain storsvc.org"; dns.query; content:"storsvc.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])storsvc\.org$/i"; classtype:trojan-activity; sid:4030401; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/65;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e65 [tlp:white] Outgoing HTTP Domain storsvc.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"storsvc.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])storsvc\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030402; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/65;) alert dns any any -> any any (msg: "MISP e65 [tlp:white] Domain servicecdp.com"; dns.query; content:"servicecdp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])servicecdp\.com$/i"; classtype:trojan-activity; sid:4030411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/65;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e65 [tlp:white] Outgoing HTTP Domain servicecdp.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"servicecdp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])servicecdp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030412; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/65;) alert dns any any -> any any (msg: "MISP e66 [tlp:white] Domain video.today-nytimes.com"; dns.query; content:"video.today-nytimes.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])video\.today\-nytimes\.com$/i"; classtype:trojan-activity; sid:4030431; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e66 [tlp:white] Outgoing HTTP Domain video.today-nytimes.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"video.today-nytimes.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])video\.today\-nytimes\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030432; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert dns any any -> any any (msg: "MISP e66 [tlp:white] Domain api.officeonlinetool.com"; dns.query; content:"api.officeonlinetool.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])api\.officeonlinetool\.com$/i"; classtype:trojan-activity; sid:4030441; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e66 [tlp:white] Outgoing HTTP Domain api.officeonlinetool.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"api.officeonlinetool.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])api\.officeonlinetool\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030442; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert dns any any -> any any (msg: "MISP e66 [tlp:white] Domain ie.update-windows-microsoft.com"; dns.query; content:"ie.update-windows-microsoft.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ie\.update\-windows\-microsoft\.com$/i"; classtype:trojan-activity; sid:4030451; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e66 [tlp:white] Outgoing HTTP Domain ie.update-windows-microsoft.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ie.update-windows-microsoft.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ie\.update\-windows\-microsoft\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030452; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert dns any any -> any any (msg: "MISP e66 [tlp:white] Domain travel.tripmans.com"; dns.query; content:"travel.tripmans.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])travel\.tripmans\.com$/i"; classtype:trojan-activity; sid:4030461; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e66 [tlp:white] Outgoing HTTP Domain travel.tripmans.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"travel.tripmans.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])travel\.tripmans\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030462; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert dns any any -> any any (msg: "MISP e66 [tlp:white] Domain dns.undpus.com"; dns.query; content:"dns.undpus.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])dns\.undpus\.com$/i"; classtype:trojan-activity; sid:4030471; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e66 [tlp:white] Outgoing HTTP Domain dns.undpus.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dns.undpus.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dns\.undpus\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030472; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert dns any any -> any any (msg: "MISP e66 [tlp:white] Domain secure2.sophosrv.com"; dns.query; content:"secure2.sophosrv.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])secure2\.sophosrv\.com$/i"; classtype:trojan-activity; sid:4030481; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e66 [tlp:white] Outgoing HTTP Domain secure2.sophosrv.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"secure2.sophosrv.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])secure2\.sophosrv\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030482; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert dns any any -> any any (msg: "MISP e66 [tlp:white] Domain update.nfkllyuisyahooapis.com"; dns.query; content:"update.nfkllyuisyahooapis.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])update\.nfkllyuisyahooapis\.com$/i"; classtype:trojan-activity; sid:4030491; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e66 [tlp:white] Outgoing HTTP Domain update.nfkllyuisyahooapis.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"update.nfkllyuisyahooapis.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])update\.nfkllyuisyahooapis\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030492; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert dns any any -> any any (msg: "MISP e66 [tlp:white] Domain www.go-gga.com"; dns.query; content:"www.go-gga.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.go\-gga\.com$/i"; classtype:trojan-activity; sid:4030501; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e66 [tlp:white] Outgoing HTTP Domain www.go-gga.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"www.go-gga.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.go\-gga\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030502; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert dns any any -> any any (msg: "MISP e66 [tlp:white] Domain images.defexpoindia14.com"; dns.query; content:"images.defexpoindia14.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])images\.defexpoindia14\.com$/i"; classtype:trojan-activity; sid:4030511; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e66 [tlp:white] Outgoing HTTP Domain images.defexpoindia14.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"images.defexpoindia14.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])images\.defexpoindia14\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030512; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert dns any any -> any any (msg: "MISP e66 [tlp:white] Domain update.micrdsoft.com"; dns.query; content:"update.micrdsoft.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])update\.micrdsoft\.com$/i"; classtype:trojan-activity; sid:4030521; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e66 [tlp:white] Outgoing HTTP Domain update.micrdsoft.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"update.micrdsoft.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])update\.micrdsoft\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030522; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert dns any any -> any any (msg: "MISP e66 [tlp:white] Domain support.f--secure.com"; dns.query; content:"support.f--secure.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])support\.f\-\-secure\.com$/i"; classtype:trojan-activity; sid:4030531; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e66 [tlp:white] Outgoing HTTP Domain support.f--secure.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"support.f--secure.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])support\.f\-\-secure\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030532; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert dns any any -> any any (msg: "MISP e66 [tlp:white] Domain store.outlook-microsoft.net"; dns.query; content:"store.outlook-microsoft.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])store\.outlook\-microsoft\.net$/i"; classtype:trojan-activity; sid:4030541; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e66 [tlp:white] Outgoing HTTP Domain store.outlook-microsoft.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"store.outlook-microsoft.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])store\.outlook\-microsoft\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030542; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert dns any any -> any any (msg: "MISP e66 [tlp:white] Domain b.support.outlook-microsoft.net"; dns.query; content:"b.support.outlook-microsoft.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])b\.support\.outlook\-microsoft\.net$/i"; classtype:trojan-activity; sid:4030551; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e66 [tlp:white] Outgoing HTTP Domain b.support.outlook-microsoft.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"b.support.outlook-microsoft.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])b\.support\.outlook\-microsoft\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030552; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert dns any any -> any any (msg: "MISP e66 [tlp:white] Domain logon.had-one-job.com"; dns.query; content:"logon.had-one-job.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])logon\.had\-one\-job\.com$/i"; classtype:trojan-activity; sid:4030561; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e66 [tlp:white] Outgoing HTTP Domain logon.had-one-job.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"logon.had-one-job.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])logon\.had\-one\-job\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030562; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert dns any any -> any any (msg: "MISP e66 [tlp:white] Domain www.avgfree.us"; dns.query; content:"www.avgfree.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.avgfree\.us$/i"; classtype:trojan-activity; sid:4030571; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e66 [tlp:white] Outgoing HTTP Domain www.avgfree.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"www.avgfree.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])www\.avgfree\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030572; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert dns any any -> any any (msg: "MISP e66 [tlp:white] Domain mail.upgoogle.com"; dns.query; content:"mail.upgoogle.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mail\.upgoogle\.com$/i"; classtype:trojan-activity; sid:4030581; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e66 [tlp:white] Outgoing HTTP Domain mail.upgoogle.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mail.upgoogle.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mail\.upgoogle\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030582; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert dns any any -> any any (msg: "MISP e66 [tlp:white] Domain wbmail.city-library.com"; dns.query; content:"wbmail.city-library.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])wbmail\.city\-library\.com$/i"; classtype:trojan-activity; sid:4030591; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e66 [tlp:white] Outgoing HTTP Domain wbmail.city-library.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wbmail.city-library.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wbmail\.city\-library\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030592; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert dns any any -> any any (msg: "MISP e66 [tlp:white] Domain library.cpgcorp.org"; dns.query; content:"library.cpgcorp.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])library\.cpgcorp\.org$/i"; classtype:trojan-activity; sid:4030601; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e66 [tlp:white] Outgoing HTTP Domain library.cpgcorp.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"library.cpgcorp.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])library\.cpgcorp\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4030602; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert ip $HOME_NET any -> 103.229.124.1 any (msg: "MISP e66 [tlp:white] Outgoing To IP: 103.229.124.1"; classtype:trojan-activity; sid:4030611; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert ip $HOME_NET any -> 103.39.78.131 any (msg: "MISP e66 [tlp:white] Outgoing To IP: 103.39.78.131"; classtype:trojan-activity; sid:4030621; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert ip $HOME_NET any -> 107.191.61.105 any (msg: "MISP e66 [tlp:white] Outgoing To IP: 107.191.61.105"; classtype:trojan-activity; sid:4030631; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert ip $HOME_NET any -> 112.213.117.52 any (msg: "MISP e66 [tlp:white] Outgoing To IP: 112.213.117.52"; classtype:trojan-activity; sid:4030641; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert ip $HOME_NET any -> 116.251.210.77 any (msg: "MISP e66 [tlp:white] Outgoing To IP: 116.251.210.77"; classtype:trojan-activity; sid:4030651; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert ip $HOME_NET any -> 116.251.216.165 any (msg: "MISP e66 [tlp:white] Outgoing To IP: 116.251.216.165"; classtype:trojan-activity; sid:4030661; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert ip $HOME_NET any -> 116.251.216.227 any (msg: "MISP e66 [tlp:white] Outgoing To IP: 116.251.216.227"; classtype:trojan-activity; sid:4030671; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert ip $HOME_NET any -> 116.251.216.72 any (msg: "MISP e66 [tlp:white] Outgoing To IP: 116.251.216.72"; classtype:trojan-activity; sid:4030681; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert ip $HOME_NET any -> 116.251.219.142 any (msg: "MISP e66 [tlp:white] Outgoing To IP: 116.251.219.142"; classtype:trojan-activity; sid:4030691; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert ip $HOME_NET any -> 117.17.10.10 any (msg: "MISP e66 [tlp:white] Outgoing To IP: 117.17.10.10"; classtype:trojan-activity; sid:4030701; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert ip $HOME_NET any -> 151.236.14.53 any (msg: "MISP e66 [tlp:white] Outgoing To IP: 151.236.14.53"; classtype:trojan-activity; sid:4030711; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert ip $HOME_NET any -> 176.31.220.160 any (msg: "MISP e66 [tlp:white] Outgoing To IP: 176.31.220.160"; classtype:trojan-activity; sid:4030721; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert ip $HOME_NET any -> 178.209.51.164 any (msg: "MISP e66 [tlp:white] Outgoing To IP: 178.209.51.164"; classtype:trojan-activity; sid:4030731; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert ip $HOME_NET any -> 178.209.52.72 any (msg: "MISP e66 [tlp:white] Outgoing To IP: 178.209.52.72"; classtype:trojan-activity; sid:4030741; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert ip $HOME_NET any -> 192.157.229.164 any (msg: "MISP e66 [tlp:white] Outgoing To IP: 192.157.229.164"; classtype:trojan-activity; sid:4030751; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert ip $HOME_NET any -> 198.98.103.7 any (msg: "MISP e66 [tlp:white] Outgoing To IP: 198.98.103.7"; classtype:trojan-activity; sid:4030761; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert ip $HOME_NET any -> 210.245.85.83 any (msg: "MISP e66 [tlp:white] Outgoing To IP: 210.245.85.83"; classtype:trojan-activity; sid:4030771; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert ip $HOME_NET any -> 23.89.200.128 any (msg: "MISP e66 [tlp:white] Outgoing To IP: 23.89.200.128"; classtype:trojan-activity; sid:4030781; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert ip $HOME_NET any -> 23.89.201.173 any (msg: "MISP e66 [tlp:white] Outgoing To IP: 23.89.201.173"; classtype:trojan-activity; sid:4030791; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert ip $HOME_NET any -> 38.109.190.55 any (msg: "MISP e66 [tlp:white] Outgoing To IP: 38.109.190.55"; classtype:trojan-activity; sid:4030801; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert ip $HOME_NET any -> 49.213.18.15 any (msg: "MISP e66 [tlp:white] Outgoing To IP: 49.213.18.15"; classtype:trojan-activity; sid:4030811; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert ip $HOME_NET any -> 50.117.47.66 any (msg: "MISP e66 [tlp:white] Outgoing To IP: 50.117.47.66"; classtype:trojan-activity; sid:4030821; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert ip $HOME_NET any -> 50.117.47.67 any (msg: "MISP e66 [tlp:white] Outgoing To IP: 50.117.47.67"; classtype:trojan-activity; sid:4030831; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert ip $HOME_NET any -> 61.250.92.79 any (msg: "MISP e66 [tlp:white] Outgoing To IP: 61.250.92.79"; classtype:trojan-activity; sid:4030841; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/66;) alert ip $HOME_NET any -> 212.129.13.110 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 212.129.13.110"; classtype:trojan-activity; sid:4031251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 212.129.7.146 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 212.129.7.146"; classtype:trojan-activity; sid:4031261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 45.43.192.172 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 45.43.192.172"; classtype:trojan-activity; sid:4031271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 178.162.210.242 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 178.162.210.242"; classtype:trojan-activity; sid:4031281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 178.162.210.243 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 178.162.210.243"; classtype:trojan-activity; sid:4031291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 178.162.210.244 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 178.162.210.244"; classtype:trojan-activity; sid:4031301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 178.162.210.245 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 178.162.210.245"; classtype:trojan-activity; sid:4031311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 178.162.210.246 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 178.162.210.246"; classtype:trojan-activity; sid:4031321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 178.162.210.247 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 178.162.210.247"; classtype:trojan-activity; sid:4031331; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 178.162.210.248 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 178.162.210.248"; classtype:trojan-activity; sid:4031341; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 178.162.236.40 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 178.162.236.40"; classtype:trojan-activity; sid:4031351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 37.48.77.214 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 37.48.77.214"; classtype:trojan-activity; sid:4031361; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 37.48.77.215 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 37.48.77.215"; classtype:trojan-activity; sid:4031371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 37.58.60.195 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 37.58.60.195"; classtype:trojan-activity; sid:4031381; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 43.249.37.173 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 43.249.37.173"; classtype:trojan-activity; sid:4031391; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 46.165.225.66 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 46.165.225.66"; classtype:trojan-activity; sid:4031401; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 46.165.229.7 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 46.165.229.7"; classtype:trojan-activity; sid:4031411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 46.165.229.8 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 46.165.229.8"; classtype:trojan-activity; sid:4031421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 46.165.229.9 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 46.165.229.9"; classtype:trojan-activity; sid:4031431; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 46.165.248.236 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 46.165.248.236"; classtype:trojan-activity; sid:4031441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 46.165.248.237 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 46.165.248.237"; classtype:trojan-activity; sid:4031451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 46.165.248.238 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 46.165.248.238"; classtype:trojan-activity; sid:4031461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 46.165.248.239 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 46.165.248.239"; classtype:trojan-activity; sid:4031471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 46.165.248.240 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 46.165.248.240"; classtype:trojan-activity; sid:4031481; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 46.165.248.241 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 46.165.248.241"; classtype:trojan-activity; sid:4031491; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 46.165.248.243 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 46.165.248.243"; classtype:trojan-activity; sid:4031501; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 46.166.163.243 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 46.166.163.243"; classtype:trojan-activity; sid:4031511; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 46.166.163.244 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 46.166.163.244"; classtype:trojan-activity; sid:4031521; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 46.166.163.246 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 46.166.163.246"; classtype:trojan-activity; sid:4031531; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 91.229.79.181 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 91.229.79.181"; classtype:trojan-activity; sid:4031541; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 91.229.79.182 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 91.229.79.182"; classtype:trojan-activity; sid:4031551; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 91.229.79.183 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 91.229.79.183"; classtype:trojan-activity; sid:4031561; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 91.229.79.184 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 91.229.79.184"; classtype:trojan-activity; sid:4031571; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 91.229.79.185 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 91.229.79.185"; classtype:trojan-activity; sid:4031581; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 91.229.79.186 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 91.229.79.186"; classtype:trojan-activity; sid:4031591; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 91.229.79.187 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 91.229.79.187"; classtype:trojan-activity; sid:4031601; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 91.229.79.188 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 91.229.79.188"; classtype:trojan-activity; sid:4031611; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 91.229.79.189 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 91.229.79.189"; classtype:trojan-activity; sid:4031621; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 91.229.79.190 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 91.229.79.190"; classtype:trojan-activity; sid:4031631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 93.115.95.132 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 93.115.95.132"; classtype:trojan-activity; sid:4031641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 94.242.219.203 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 94.242.219.203"; classtype:trojan-activity; sid:4031651; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 94.242.223.19 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 94.242.223.19"; classtype:trojan-activity; sid:4031661; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 94.242.223.20 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 94.242.223.20"; classtype:trojan-activity; sid:4031671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 94.242.223.24 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 94.242.223.24"; classtype:trojan-activity; sid:4031681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 94.242.223.28 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 94.242.223.28"; classtype:trojan-activity; sid:4031691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 94.242.231.244 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 94.242.231.244"; classtype:trojan-activity; sid:4031701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 95.141.34.242 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 95.141.34.242"; classtype:trojan-activity; sid:4031711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 95.141.34.245 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 95.141.34.245"; classtype:trojan-activity; sid:4031721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 95.141.34.246 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 95.141.34.246"; classtype:trojan-activity; sid:4031731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 95.211.205.142 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 95.211.205.142"; classtype:trojan-activity; sid:4031741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 95.211.205.161 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 95.211.205.161"; classtype:trojan-activity; sid:4031751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 95.211.205.163 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 95.211.205.163"; classtype:trojan-activity; sid:4031761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 95.211.205.164 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 95.211.205.164"; classtype:trojan-activity; sid:4031771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 95.211.205.165 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 95.211.205.165"; classtype:trojan-activity; sid:4031781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 95.211.205.166 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 95.211.205.166"; classtype:trojan-activity; sid:4031791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 95.211.3.135 any (msg: "MISP e67 [tlp:white] Outgoing To IP: 95.211.3.135"; classtype:trojan-activity; sid:4031801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain mozarting.com"; dns.query; content:"mozarting.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mozarting\.com$/i"; classtype:trojan-activity; sid:4032671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain mozarting.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mozarting.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mozarting\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4032672; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain blingblingg.com"; dns.query; content:"blingblingg.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])blingblingg\.com$/i"; classtype:trojan-activity; sid:4032681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain blingblingg.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"blingblingg.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])blingblingg\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4032682; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain aaskmee.com"; dns.query; content:"aaskmee.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])aaskmee\.com$/i"; classtype:trojan-activity; sid:4032691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain aaskmee.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aaskmee.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aaskmee\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4032692; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain revoltmax.com"; dns.query; content:"revoltmax.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])revoltmax\.com$/i"; classtype:trojan-activity; sid:4032701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain revoltmax.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"revoltmax.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])revoltmax\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4032702; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain eyescreem.com"; dns.query; content:"eyescreem.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])eyescreem\.com$/i"; classtype:trojan-activity; sid:4032711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain eyescreem.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"eyescreem.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])eyescreem\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4032712; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain outlookkz.com"; dns.query; content:"outlookkz.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])outlookkz\.com$/i"; classtype:trojan-activity; sid:4032721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain outlookkz.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"outlookkz.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])outlookkz\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4032722; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain xmachinez.com"; dns.query; content:"xmachinez.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])xmachinez\.com$/i"; classtype:trojan-activity; sid:4032731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain xmachinez.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"xmachinez.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])xmachinez\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4032732; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain pizzahomez.com"; dns.query; content:"pizzahomez.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pizzahomez\.com$/i"; classtype:trojan-activity; sid:4032741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain pizzahomez.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pizzahomez.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pizzahomez\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4032742; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain newsnstat.com"; dns.query; content:"newsnstat.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])newsnstat\.com$/i"; classtype:trojan-activity; sid:4032751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain newsnstat.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"newsnstat.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])newsnstat\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4032752; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain 163-cn.org"; dns.query; content:"163-cn.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])163\-cn\.org$/i"; classtype:trojan-activity; sid:4032761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain 163-cn.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"163-cn.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])163\-cn\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4032762; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain cnmilit.com"; dns.query; content:"cnmilit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])cnmilit\.com$/i"; classtype:trojan-activity; sid:4032771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain cnmilit.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cnmilit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cnmilit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4032772; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain 81-cn.net"; dns.query; content:"81-cn.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])81\-cn\.net$/i"; classtype:trojan-activity; sid:4032781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain 81-cn.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"81-cn.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])81\-cn\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4032782; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain climaxcn.com"; dns.query; content:"climaxcn.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])climaxcn\.com$/i"; classtype:trojan-activity; sid:4032791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain climaxcn.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"climaxcn.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])climaxcn\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4032792; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain expatchina.info"; dns.query; content:"expatchina.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])expatchina\.info$/i"; classtype:trojan-activity; sid:4032801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain expatchina.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"expatchina.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])expatchina\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4032802; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain miltechweb.com"; dns.query; content:"miltechweb.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])miltechweb\.com$/i"; classtype:trojan-activity; sid:4032811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain miltechweb.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"miltechweb.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])miltechweb\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4032812; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain nduformation.com"; dns.query; content:"nduformation.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])nduformation\.com$/i"; classtype:trojan-activity; sid:4032821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain nduformation.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nduformation.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nduformation\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4032822; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain securematrixx.com"; dns.query; content:"securematrixx.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])securematrixx\.com$/i"; classtype:trojan-activity; sid:4032831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain securematrixx.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"securematrixx.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])securematrixx\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4032832; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain xbladezz.com"; dns.query; content:"xbladezz.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])xbladezz\.com$/i"; classtype:trojan-activity; sid:4032841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain xbladezz.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"xbladezz.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])xbladezz\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4032842; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain asiandefnetwork.com"; dns.query; content:"asiandefnetwork.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])asiandefnetwork\.com$/i"; classtype:trojan-activity; sid:4032851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain asiandefnetwork.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"asiandefnetwork.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])asiandefnetwork\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4032852; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain sinodefprog.info"; dns.query; content:"sinodefprog.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])sinodefprog\.info$/i"; classtype:trojan-activity; sid:4032861; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain sinodefprog.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sinodefprog.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sinodefprog\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4032862; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain qqgroups.info"; dns.query; content:"qqgroups.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])qqgroups\.info$/i"; classtype:trojan-activity; sid:4032871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain qqgroups.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"qqgroups.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])qqgroups\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4032872; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain chinastrat.com"; dns.query; content:"chinastrat.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])chinastrat\.com$/i"; classtype:trojan-activity; sid:4032881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain chinastrat.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"chinastrat.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])chinastrat\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4032882; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain miltechcn.com"; dns.query; content:"miltechcn.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])miltechcn\.com$/i"; classtype:trojan-activity; sid:4032891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain miltechcn.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"miltechcn.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])miltechcn\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4032892; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain numeronez.com"; dns.query; content:"numeronez.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])numeronez\.com$/i"; classtype:trojan-activity; sid:4032901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain numeronez.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"numeronez.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])numeronez\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4032902; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain telemediaz.com"; dns.query; content:"telemediaz.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])telemediaz\.com$/i"; classtype:trojan-activity; sid:4032911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain telemediaz.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"telemediaz.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])telemediaz\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4032912; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain majidalfuttaiim.com"; dns.query; content:"majidalfuttaiim.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])majidalfuttaiim\.com$/i"; classtype:trojan-activity; sid:4032921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain majidalfuttaiim.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"majidalfuttaiim.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])majidalfuttaiim\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4032922; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain webworldreq.com"; dns.query; content:"webworldreq.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])webworldreq\.com$/i"; classtype:trojan-activity; sid:4032931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain webworldreq.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"webworldreq.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])webworldreq\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4032932; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain nextraload.com"; dns.query; content:"nextraload.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])nextraload\.com$/i"; classtype:trojan-activity; sid:4032941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain nextraload.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nextraload.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nextraload\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4032942; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain junshiyuehui.com"; dns.query; content:"junshiyuehui.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])junshiyuehui\.com$/i"; classtype:trojan-activity; sid:4032951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain junshiyuehui.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"junshiyuehui.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])junshiyuehui\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4032952; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain cndailynetwork.info"; dns.query; content:"cndailynetwork.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])cndailynetwork\.info$/i"; classtype:trojan-activity; sid:4032961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain cndailynetwork.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cndailynetwork.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cndailynetwork\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4032962; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain extrememachine.org"; dns.query; content:"extrememachine.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])extrememachine\.org$/i"; classtype:trojan-activity; sid:4032971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain extrememachine.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"extrememachine.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])extrememachine\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4032972; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain yue-lao.info"; dns.query; content:"yue-lao.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])yue\-lao\.info$/i"; classtype:trojan-activity; sid:4032981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain yue-lao.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"yue-lao.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])yue\-lao\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4032982; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain you-yisi.com"; dns.query; content:"you-yisi.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])you\-yisi\.com$/i"; classtype:trojan-activity; sid:4032991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain you-yisi.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"you-yisi.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])you\-yisi\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4032992; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain annchenn.com"; dns.query; content:"annchenn.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])annchenn\.com$/i"; classtype:trojan-activity; sid:4033001; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain annchenn.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"annchenn.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])annchenn\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4033002; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain office-rb-support.com"; dns.query; content:"office-rb-support.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])office\-rb\-support\.com$/i"; classtype:trojan-activity; sid:4033011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain office-rb-support.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"office-rb-support.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])office\-rb\-support\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4033012; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain greatdexter.com"; dns.query; content:"greatdexter.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])greatdexter\.com$/i"; classtype:trojan-activity; sid:4033021; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain greatdexter.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"greatdexter.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])greatdexter\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4033022; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain haiwaipengyou.com"; dns.query; content:"haiwaipengyou.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])haiwaipengyou\.com$/i"; classtype:trojan-activity; sid:4033031; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain haiwaipengyou.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"haiwaipengyou.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])haiwaipengyou\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4033032; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain extremerebolt.com"; dns.query; content:"extremerebolt.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])extremerebolt\.com$/i"; classtype:trojan-activity; sid:4033041; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain extremerebolt.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"extremerebolt.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])extremerebolt\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4033042; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain matrixrevolt.com"; dns.query; content:"matrixrevolt.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])matrixrevolt\.com$/i"; classtype:trojan-activity; sid:4033051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain matrixrevolt.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"matrixrevolt.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])matrixrevolt\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4033052; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain info81.com"; dns.query; content:"info81.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])info81\.com$/i"; classtype:trojan-activity; sid:4033061; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain info81.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"info81.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])info81\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4033062; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain chinastrats.com"; dns.query; content:"chinastrats.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])chinastrats\.com$/i"; classtype:trojan-activity; sid:4033071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain chinastrats.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"chinastrats.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])chinastrats\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4033072; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain epg-cn.com"; dns.query; content:"epg-cn.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])epg\-cn\.com$/i"; classtype:trojan-activity; sid:4033081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain epg-cn.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"epg-cn.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])epg\-cn\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4033082; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain nutcn.com"; dns.query; content:"nutcn.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])nutcn\.com$/i"; classtype:trojan-activity; sid:4033091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain nutcn.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nutcn.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nutcn\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4033092; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain modgovcn.com"; dns.query; content:"modgovcn.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])modgovcn\.com$/i"; classtype:trojan-activity; sid:4033101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain modgovcn.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"modgovcn.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])modgovcn\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4033102; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain socialfreakzz.com"; dns.query; content:"socialfreakzz.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])socialfreakzz\.com$/i"; classtype:trojan-activity; sid:4033111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain socialfreakzz.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"socialfreakzz.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])socialfreakzz\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4033112; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain militaryworkerscn.com"; dns.query; content:"militaryworkerscn.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])militaryworkerscn\.com$/i"; classtype:trojan-activity; sid:4033121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain militaryworkerscn.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"militaryworkerscn.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])militaryworkerscn\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4033122; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain extremebolt.com"; dns.query; content:"extremebolt.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])extremebolt\.com$/i"; classtype:trojan-activity; sid:4033131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain extremebolt.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"extremebolt.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])extremebolt\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4033132; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain lujunxinxi.com"; dns.query; content:"lujunxinxi.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])lujunxinxi\.com$/i"; classtype:trojan-activity; sid:4033141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain lujunxinxi.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lujunxinxi.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lujunxinxi\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4033142; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain letsgetclose.com"; dns.query; content:"letsgetclose.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])letsgetclose\.com$/i"; classtype:trojan-activity; sid:4033151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain letsgetclose.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"letsgetclose.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])letsgetclose\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4033152; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain milresearchcn.com"; dns.query; content:"milresearchcn.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])milresearchcn\.com$/i"; classtype:trojan-activity; sid:4033161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain milresearchcn.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"milresearchcn.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])milresearchcn\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4033162; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain alfred.ignorelist.com"; dns.query; content:"alfred.ignorelist.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])alfred\.ignorelist\.com$/i"; classtype:trojan-activity; sid:4033171; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain alfred.ignorelist.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"alfred.ignorelist.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])alfred\.ignorelist\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4033172; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain symantecz.com"; dns.query; content:"symantecz.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])symantecz\.com$/i"; classtype:trojan-activity; sid:4033181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain symantecz.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"symantecz.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])symantecz\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4033182; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert dns any any -> any any (msg: "MISP e67 [tlp:white] Domain nudtcn.com"; dns.query; content:"nudtcn.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])nudtcn\.com$/i"; classtype:trojan-activity; sid:4033191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e67 [tlp:white] Outgoing HTTP Domain nudtcn.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nudtcn.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nudtcn\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4033192; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> 212.129.13.110 $HTTP_PORTS (msg: "MISP e67 [tlp:white] Outgoing URL http|3a|//212.129.13.110/update-request.php?profile="; flow:to_server,established; http.header; content:"212.129.13.110"; fast_pattern; nocase; http.uri; content:"/update-request.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4033201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> 212.129.13.110 $HTTP_PORTS (msg: "MISP e67 [tlp:white] Outgoing URL http|3a|//212.129.13.110/dropper.php?profile="; flow:to_server,established; http.header; content:"212.129.13.110"; fast_pattern; nocase; http.uri; content:"/dropper.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4033211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e67 [tlp:white] Outgoing URL http|3a|//cnmilit.com"; flow:to_server,established; http.header; content:"cnmilit.com"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4033221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e67 [tlp:white] Outgoing URL http|3a|//t.ymlp50.com/jmyafaejshbafahshaaambmus/click.php"; flow:to_server,established; http.header; content:"t.ymlp50.com"; fast_pattern; nocase; http.uri; content:"/jmyafaejshbafahshaaambmus/click.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4033231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/67;) alert ip $HOME_NET any -> 88.198.222.163 any (msg: "MISP e68 [tlp:white] Outgoing To IP: 88.198.222.163"; classtype:trojan-activity; sid:4033401; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/68;) alert ip $HOME_NET any -> 104.156.240.212 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 104.156.240.212"; classtype:trojan-activity; sid:4033441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 104.232.35.136 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 104.232.35.136"; classtype:trojan-activity; sid:4033451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 104.250.153.57 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 104.250.153.57"; classtype:trojan-activity; sid:4033461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 107.181.246.211 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 107.181.246.211"; classtype:trojan-activity; sid:4033471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 107.181.250.221 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 107.181.250.221"; classtype:trojan-activity; sid:4033481; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 108.61.57.43 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 108.61.57.43"; classtype:trojan-activity; sid:4033491; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 128.177.144.59 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 128.177.144.59"; classtype:trojan-activity; sid:4033501; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 144.168.45.128 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 144.168.45.128"; classtype:trojan-activity; sid:4033511; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 151.80.8.10 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 151.80.8.10"; classtype:trojan-activity; sid:4033521; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 162.212.105.78 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 162.212.105.78"; classtype:trojan-activity; sid:4033531; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 172.28.202.31 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 172.28.202.31"; classtype:trojan-activity; sid:4033541; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 184.22.81.68 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 184.22.81.68"; classtype:trojan-activity; sid:4033551; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 185.29.9.28 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 185.29.9.28"; classtype:trojan-activity; sid:4033561; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 185.86.149.115 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 185.86.149.115"; classtype:trojan-activity; sid:4033571; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 185.86.149.60 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 185.86.149.60"; classtype:trojan-activity; sid:4033581; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 186.106.120.113 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 186.106.120.113"; classtype:trojan-activity; sid:4033591; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 190.82.81.132 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 190.82.81.132"; classtype:trojan-activity; sid:4033601; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 194.146.180.58 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 194.146.180.58"; classtype:trojan-activity; sid:4033611; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 195.154.43.52 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 195.154.43.52"; classtype:trojan-activity; sid:4033621; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 198.23.210.156 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 198.23.210.156"; classtype:trojan-activity; sid:4033631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 207.182.98.21 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 207.182.98.21"; classtype:trojan-activity; sid:4033641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 208.167.254.234 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 208.167.254.234"; classtype:trojan-activity; sid:4033651; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 209.51.131.190 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 209.51.131.190"; classtype:trojan-activity; sid:4033661; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 216.155.131.74 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 216.155.131.74"; classtype:trojan-activity; sid:4033671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 216.170.116.120 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 216.170.116.120"; classtype:trojan-activity; sid:4033681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 220.130.157.99 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 220.130.157.99"; classtype:trojan-activity; sid:4033691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 23.227.196.99 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 23.227.196.99"; classtype:trojan-activity; sid:4033701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 23.249.164.109 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 23.249.164.109"; classtype:trojan-activity; sid:4033711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 31.131.17.128 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 31.131.17.128"; classtype:trojan-activity; sid:4033721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 45.63.23.135 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 45.63.23.135"; classtype:trojan-activity; sid:4033731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 45.63.96.216 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 45.63.96.216"; classtype:trojan-activity; sid:4033741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 5.45.179.185 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 5.45.179.185"; classtype:trojan-activity; sid:4033751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 5.45.192.117 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 5.45.192.117"; classtype:trojan-activity; sid:4033761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 51.254.95.100 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 51.254.95.100"; classtype:trojan-activity; sid:4033771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 51.254.95.99 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 51.254.95.99"; classtype:trojan-activity; sid:4033781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 59.55.142.171 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 59.55.142.171"; classtype:trojan-activity; sid:4033791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e69 [tlp:white] Outgoing URL 60.228.38.213/login.aspx"; flow:to_server,established; http.uri; content:"60.228.38.213/login.aspx"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4033801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 66.232.124.175 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 66.232.124.175"; classtype:trojan-activity; sid:4033811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 71.63.154.49 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 71.63.154.49"; classtype:trojan-activity; sid:4033821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 72.233.55.10 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 72.233.55.10"; classtype:trojan-activity; sid:4033831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 74.125.39.18 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 74.125.39.18"; classtype:trojan-activity; sid:4033841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 80.83.118.240 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 80.83.118.240"; classtype:trojan-activity; sid:4033851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 80.83.118.245 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 80.83.118.245"; classtype:trojan-activity; sid:4033861; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 82.163.78.188 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 82.163.78.188"; classtype:trojan-activity; sid:4033871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 83.183.76.156 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 83.183.76.156"; classtype:trojan-activity; sid:4033881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 85.186.125.217 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 85.186.125.217"; classtype:trojan-activity; sid:4033891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 86.55.7.54 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 86.55.7.54"; classtype:trojan-activity; sid:4033901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 87.236.210.109 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 87.236.210.109"; classtype:trojan-activity; sid:4033911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 87.236.210.116 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 87.236.210.116"; classtype:trojan-activity; sid:4033921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 87.98.153.34 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 87.98.153.34"; classtype:trojan-activity; sid:4033931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 91.207.60.68 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 91.207.60.68"; classtype:trojan-activity; sid:4033941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 94.140.120.133 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 94.140.120.133"; classtype:trojan-activity; sid:4033951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 95.215.44.136 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 95.215.44.136"; classtype:trojan-activity; sid:4033961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 95.215.45.228 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 95.215.45.228"; classtype:trojan-activity; sid:4033971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 95.215.45.64 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 95.215.45.64"; classtype:trojan-activity; sid:4033981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 95.215.45.69 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 95.215.45.69"; classtype:trojan-activity; sid:4033991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 95.215.45.90 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 95.215.45.90"; classtype:trojan-activity; sid:4034001; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 95.215.45.98 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 95.215.45.98"; classtype:trojan-activity; sid:4034011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 95.215.46.2 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 95.215.46.2"; classtype:trojan-activity; sid:4034021; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 95.215.46.32 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 95.215.46.32"; classtype:trojan-activity; sid:4034031; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 95.215.46.76 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 95.215.46.76"; classtype:trojan-activity; sid:4034041; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 95.85.12.179 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 95.85.12.179"; classtype:trojan-activity; sid:4034051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert ip $HOME_NET any -> 98.129.249.174 any (msg: "MISP e69 [tlp:white] Outgoing To IP: 98.129.249.174"; classtype:trojan-activity; sid:4034061; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert dns any any -> any any (msg: "MISP e69 [tlp:white] Hostname clients14-google.com"; dns.query; content:"clients14-google.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])clients14\-google\.com$/i"; classtype:trojan-activity; sid:4034071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e69 [tlp:white] Outgoing HTTP Hostname clients14-google.com"; flow:to_server,established; http.header; content: "Host|3a| clients14-google.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])clients14\-google\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4034072; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert dns any any -> any any (msg: "MISP e69 [tlp:white] Hostname mail.clients12-google.com"; dns.query; content:"mail.clients12-google.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.clients12\-google\.com$/i"; classtype:trojan-activity; sid:4034081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e69 [tlp:white] Outgoing HTTP Hostname mail.clients12-google.com"; flow:to_server,established; http.header; content: "Host|3a| mail.clients12-google.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.clients12\-google\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4034082; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert dns any any -> any any (msg: "MISP e69 [tlp:white] Hostname ns1.stats1-google.com"; dns.query; content:"ns1.stats1-google.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ns1\.stats1\-google\.com$/i"; classtype:trojan-activity; sid:4034091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e69 [tlp:white] Outgoing HTTP Hostname ns1.stats1-google.com"; flow:to_server,established; http.header; content: "Host|3a| ns1.stats1-google.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ns1\.stats1\-google\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4034092; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert dns any any -> any any (msg: "MISP e69 [tlp:white] Hostname ns2.stats1-google.com"; dns.query; content:"ns2.stats1-google.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ns2\.stats1\-google\.com$/i"; classtype:trojan-activity; sid:4034101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e69 [tlp:white] Outgoing HTTP Hostname ns2.stats1-google.com"; flow:to_server,established; http.header; content: "Host|3a| ns2.stats1-google.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ns2\.stats1\-google\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4034102; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e69 [tlp:white] Outgoing URL wambiri.net/login.aspx"; flow:to_server,established; http.uri; content:"wambiri.net/login.aspx"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4034111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/69;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e70 [tlp:white] Outgoing URL http|3a|//glazeautocaree.com/proforma-invoice.exe"; flow:to_server,established; http.header; content:"glazeautocaree.com"; fast_pattern; nocase; http.uri; content:"/proforma-invoice.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4034191; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e70 [tlp:white] Outgoing URL http|3a|//brokelimiteds.in/cdn/images/bro.exe"; flow:to_server,established; http.header; content:"brokelimiteds.in"; fast_pattern; nocase; http.uri; content:"/cdn/images/bro.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4034201; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e70 [tlp:white] Outgoing URL http|3a|//brokelimiteds.in/cdn/images/onowu.exe"; flow:to_server,established; http.header; content:"brokelimiteds.in"; fast_pattern; nocase; http.uri; content:"/cdn/images/onowu.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4034211; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e70 [tlp:white] Outgoing URL http|3a|//brokelimiteds.in/cdn/images/obe.exe"; flow:to_server,established; http.header; content:"brokelimiteds.in"; fast_pattern; nocase; http.uri; content:"/cdn/images/obe.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4034221; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e70 [tlp:white] Outgoing URL http|3a|//brokelimiteds.in/wp-admin/css/upload/order.exe"; flow:to_server,established; http.header; content:"brokelimiteds.in"; fast_pattern; nocase; http.uri; content:"/wp-admin/css/upload/order.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4034231; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e70 [tlp:white] Outgoing URL http|3a|//brokelimiteds.in/wp-admin/css/upload/orders.exe"; flow:to_server,established; http.header; content:"brokelimiteds.in"; fast_pattern; nocase; http.uri; content:"/wp-admin/css/upload/orders.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4034241; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e70 [tlp:white] Outgoing URL http|3a|//papercuts.info/SocialMedia/java.exe"; flow:to_server,established; http.header; content:"papercuts.info"; fast_pattern; nocase; http.uri; content:"/SocialMedia/java.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4034251; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e70 [tlp:white] Outgoing URL http|3a|//studiousb.com/mercadolivrestudio/f.zip"; flow:to_server,established; http.header; content:"studiousb.com"; fast_pattern; nocase; http.uri; content:"/mercadolivrestudio/f.zip"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4034261; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e70 [tlp:white] Outgoing URL http|3a|//copylines.biz/lasagna/gate.php?request=true"; flow:to_server,established; http.header; content:"copylines.biz"; fast_pattern; nocase; http.uri; content:"/lasagna/gate.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4034271; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e70 [tlp:white] Outgoing URL http|3a|//free.meedlifespeed.com/ComCast/"; flow:to_server,established; http.header; content:"free.meedlifespeed.com"; fast_pattern; nocase; http.uri; content:"/ComCast/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4034281; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e70 [tlp:white] Outgoing URL http|3a|//emailreferentie.appleid.apple.nl.468213579.com/"; flow:to_server,established; http.header; content:"emailreferentie.appleid.apple.nl.468213579.com"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4034291; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e70 [tlp:white] Outgoing URL http|3a|//468213579.com/emailreferentie.appleid.apple.nl/emailverificatie-40985443/home/login.php"; flow:to_server,established; http.header; content:"468213579.com"; fast_pattern; nocase; http.uri; content:"/emailreferentie.appleid.apple.nl/emailverificatie-40985443/home/login.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4034301; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert http $HOME_NET any -> 192.169.82.86 $HTTP_PORTS (msg: "MISP e70 [tlp:white] Outgoing URL http|3a|//192.169.82.86/~gurgenle/verify/webmail/"; flow:to_server,established; http.header; content:"192.169.82.86"; fast_pattern; nocase; http.uri; content:"/~gurgenle/verify/webmail/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4034311; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e70 [tlp:white] Outgoing URL http|3a|//customer.comcast.com.aboranian.com/login"; flow:to_server,established; http.header; content:"customer.comcast.com.aboranian.com"; fast_pattern; nocase; http.uri; content:"/login"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4034321; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e70 [tlp:white] Outgoing URL http|3a|//apple-recovery.us/"; flow:to_server,established; http.header; content:"apple-recovery.us"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4034331; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e70 [tlp:white] Outgoing URL http|3a|//apple.security-block.com/Apple%20-%20My%20Apple%20ID.html"; flow:to_server,established; http.header; content:"apple.security-block.com"; fast_pattern; nocase; http.uri; content:"/Apple%20-%20My%20Apple%20ID.html"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4034341; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e70 [tlp:white] Outgoing URL http|3a|//https.portal.apple.com.idmswebauth.login.html.appidkey.05c7e09b5896b0334b3af1139274f266b2hxxp|3a|//2b68.f444c4f547116bfd052461b0b3ab1bc2b445a.com/login.html"; flow:to_server,established; http.header; content:"https.portal.apple.com.idmswebauth.login.html.appidkey.05c7e09b5896b0334b3af1139274f266b2hxxp"; fast_pattern; nocase; http.uri; content:"//2b68.f444c4f547116bfd052461b0b3ab1bc2b445a.com/login.html"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4034351; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e70 [tlp:white] Outgoing URL http|3a|//www.deluxepharmacy.net"; flow:to_server,established; http.header; content:"www.deluxepharmacy.net"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4034361; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert dns any any -> any any (msg: "MISP e70 [tlp:white] Domain indyproject.org"; dns.query; content:"indyproject.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])indyproject\.org$/i"; classtype:trojan-activity; sid:4034371; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e70 [tlp:white] Outgoing HTTP Domain indyproject.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"indyproject.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])indyproject\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4034372; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert dns any any -> any any (msg: "MISP e70 [tlp:white] Domain studiousb.com"; dns.query; content:"studiousb.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])studiousb\.com$/i"; classtype:trojan-activity; sid:4034381; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e70 [tlp:white] Outgoing HTTP Domain studiousb.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"studiousb.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])studiousb\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4034382; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert dns any any -> any any (msg: "MISP e70 [tlp:white] Domain copylines.biz"; dns.query; content:"copylines.biz"; nocase; pcre: "/(^|[^A-Za-z0-9-])copylines\.biz$/i"; classtype:trojan-activity; sid:4034391; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e70 [tlp:white] Outgoing HTTP Domain copylines.biz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"copylines.biz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])copylines\.biz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4034392; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert dns any any -> any any (msg: "MISP e70 [tlp:white] Domain glazeautocaree.com"; dns.query; content:"glazeautocaree.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])glazeautocaree\.com$/i"; classtype:trojan-activity; sid:4034401; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e70 [tlp:white] Outgoing HTTP Domain glazeautocaree.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"glazeautocaree.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])glazeautocaree\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4034402; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert dns any any -> any any (msg: "MISP e70 [tlp:white] Domain brokelimiteds.in"; dns.query; content:"brokelimiteds.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])brokelimiteds\.in$/i"; classtype:trojan-activity; sid:4034411; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e70 [tlp:white] Outgoing HTTP Domain brokelimiteds.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"brokelimiteds.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])brokelimiteds\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4034412; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert dns any any -> any any (msg: "MISP e70 [tlp:white] Domain meedlifespeed.com"; dns.query; content:"meedlifespeed.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])meedlifespeed\.com$/i"; classtype:trojan-activity; sid:4034421; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e70 [tlp:white] Outgoing HTTP Domain meedlifespeed.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"meedlifespeed.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])meedlifespeed\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4034422; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert dns any any -> any any (msg: "MISP e70 [tlp:white] Domain 468213579.com"; dns.query; content:"468213579.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])468213579\.com$/i"; classtype:trojan-activity; sid:4034431; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e70 [tlp:white] Outgoing HTTP Domain 468213579.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"468213579.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])468213579\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4034432; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert dns any any -> any any (msg: "MISP e70 [tlp:white] Domain 357912468.com"; dns.query; content:"357912468.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])357912468\.com$/i"; classtype:trojan-activity; sid:4034441; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e70 [tlp:white] Outgoing HTTP Domain 357912468.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"357912468.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])357912468\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4034442; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert dns any any -> any any (msg: "MISP e70 [tlp:white] Domain aboranian.com"; dns.query; content:"aboranian.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])aboranian\.com$/i"; classtype:trojan-activity; sid:4034451; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e70 [tlp:white] Outgoing HTTP Domain aboranian.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aboranian.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aboranian\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4034452; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert dns any any -> any any (msg: "MISP e70 [tlp:white] Domain apple-recovery.us"; dns.query; content:"apple-recovery.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])apple\-recovery\.us$/i"; classtype:trojan-activity; sid:4034461; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e70 [tlp:white] Outgoing HTTP Domain apple-recovery.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"apple-recovery.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])apple\-recovery\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4034462; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert dns any any -> any any (msg: "MISP e70 [tlp:white] Domain security-block.com"; dns.query; content:"security-block.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])security\-block\.com$/i"; classtype:trojan-activity; sid:4034471; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e70 [tlp:white] Outgoing HTTP Domain security-block.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"security-block.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])security\-block\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4034472; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert dns any any -> any any (msg: "MISP e70 [tlp:white] Domain com-wn.in"; dns.query; content:"com-wn.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])com\-wn\.in$/i"; classtype:trojan-activity; sid:4034481; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e70 [tlp:white] Outgoing HTTP Domain com-wn.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"com-wn.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])com\-wn\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4034482; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert dns any any -> any any (msg: "MISP e70 [tlp:white] Domain f444c4f547116bfd052461b0b3ab1bc2b445a.com"; dns.query; content:"f444c4f547116bfd052461b0b3ab1bc2b445a.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])f444c4f547116bfd052461b0b3ab1bc2b445a\.com$/i"; classtype:trojan-activity; sid:4034491; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e70 [tlp:white] Outgoing HTTP Domain f444c4f547116bfd052461b0b3ab1bc2b445a.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"f444c4f547116bfd052461b0b3ab1bc2b445a.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])f444c4f547116bfd052461b0b3ab1bc2b445a\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4034492; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert dns any any -> any any (msg: "MISP e70 [tlp:white] Domain deluxepharmacy.net"; dns.query; content:"deluxepharmacy.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])deluxepharmacy\.net$/i"; classtype:trojan-activity; sid:4034501; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e70 [tlp:white] Outgoing HTTP Domain deluxepharmacy.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"deluxepharmacy.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])deluxepharmacy\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4034502; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert dns any any -> any any (msg: "MISP e70 [tlp:white] Domain katynew.pw"; dns.query; content:"katynew.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])katynew\.pw$/i"; classtype:trojan-activity; sid:4034511; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e70 [tlp:white] Outgoing HTTP Domain katynew.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"katynew.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])katynew\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4034512; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert dns any any -> any any (msg: "MISP e70 [tlp:white] Domain mercadojs.com"; dns.query; content:"mercadojs.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mercadojs\.com$/i"; classtype:trojan-activity; sid:4034521; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e70 [tlp:white] Outgoing HTTP Domain mercadojs.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mercadojs.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mercadojs\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4034522; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert ip $HOME_NET any -> 192.169.82.86 any (msg: "MISP e70 [tlp:white] Outgoing To IP: 192.169.82.86"; classtype:trojan-activity; sid:4034841; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/70;) alert dns any any -> any any (msg: "MISP e72 [tlp:white] Hostname ads.retradio.com"; dns.query; content:"ads.retradio.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ads\.retradio\.com$/i"; classtype:trojan-activity; sid:4035081; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/72;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e72 [tlp:white] Outgoing HTTP Hostname ads.retradio.com"; flow:to_server,established; http.header; content: "Host|3a| ads.retradio.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ads\.retradio\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4035082; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/72;) alert ip $HOME_NET any -> 63.141.242.35 any (msg: "MISP e72 [tlp:white] Outgoing To IP: 63.141.242.35"; classtype:trojan-activity; sid:4035091; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/72;) alert dns any any -> any any (msg: "MISP e73 [tlp:white] Domain morelikestoday.com"; dns.query; content:"morelikestoday.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])morelikestoday\.com$/i"; classtype:trojan-activity; sid:4035441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/73;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e73 [tlp:white] Outgoing HTTP Domain morelikestoday.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"morelikestoday.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])morelikestoday\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4035442; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/73;) alert dns any any -> any any (msg: "MISP e73 [tlp:white] Domain carsi12.com"; dns.query; content:"carsi12.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])carsi12\.com$/i"; classtype:trojan-activity; sid:4035451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/73;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e73 [tlp:white] Outgoing HTTP Domain carsi12.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"carsi12.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])carsi12\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4035452; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/73;) alert dns any any -> any any (msg: "MISP e73 [tlp:white] Domain sociallyvital.com"; dns.query; content:"sociallyvital.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sociallyvital\.com$/i"; classtype:trojan-activity; sid:4035461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/73;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e73 [tlp:white] Outgoing HTTP Domain sociallyvital.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sociallyvital.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sociallyvital\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4035462; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/73;) alert dns any any -> any any (msg: "MISP e73 [tlp:white] Domain mbcqjsuqsd.com"; dns.query; content:"mbcqjsuqsd.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mbcqjsuqsd\.com$/i"; classtype:trojan-activity; sid:4035471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/73;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e73 [tlp:white] Outgoing HTTP Domain mbcqjsuqsd.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mbcqjsuqsd.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mbcqjsuqsd\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4035472; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/73;) alert dns any any -> any any (msg: "MISP e73 [tlp:white] Domain kcrznhnlpw.com"; dns.query; content:"kcrznhnlpw.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])kcrznhnlpw\.com$/i"; classtype:trojan-activity; sid:4035481; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/73;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e73 [tlp:white] Outgoing HTTP Domain kcrznhnlpw.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kcrznhnlpw.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kcrznhnlpw\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4035482; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/73;) alert dns any any -> any any (msg: "MISP e73 [tlp:white] Domain humzka.com"; dns.query; content:"humzka.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])humzka\.com$/i"; classtype:trojan-activity; sid:4035491; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/73;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e73 [tlp:white] Outgoing HTTP Domain humzka.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"humzka.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])humzka\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4035492; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/73;) alert dns any any -> any any (msg: "MISP e74 [tlp:white] Domain shalaghlagh.tk"; dns.query; content:"shalaghlagh.tk"; nocase; pcre: "/(^|[^A-Za-z0-9-])shalaghlagh\.tk$/i"; classtype:trojan-activity; sid:4035931; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/74;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e74 [tlp:white] Outgoing HTTP Domain shalaghlagh.tk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"shalaghlagh.tk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])shalaghlagh\.tk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4035932; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/74;) alert dns any any -> any any (msg: "MISP e74 [tlp:white] Domain go0gie.com"; dns.query; content:"go0gie.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])go0gie\.com$/i"; classtype:trojan-activity; sid:4035941; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/74;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e74 [tlp:white] Outgoing HTTP Domain go0gie.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"go0gie.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])go0gie\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4035942; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/74;) alert dns any any -> any any (msg: "MISP e74 [tlp:white] Domain winodwsupdates.me"; dns.query; content:"winodwsupdates.me"; nocase; pcre: "/(^|[^A-Za-z0-9-])winodwsupdates\.me$/i"; classtype:trojan-activity; sid:4035951; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/74;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e74 [tlp:white] Outgoing HTTP Domain winodwsupdates.me"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"winodwsupdates.me"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])winodwsupdates\.me[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4035952; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/74;) alert dns any any -> any any (msg: "MISP e74 [tlp:white] Domain update-kernal.net"; dns.query; content:"update-kernal.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])update\-kernal\.net$/i"; classtype:trojan-activity; sid:4035961; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/74;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e74 [tlp:white] Outgoing HTTP Domain update-kernal.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"update-kernal.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])update\-kernal\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4035962; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/74;) alert dns any any -> any any (msg: "MISP e74 [tlp:white] Domain yahoooooomail.com"; dns.query; content:"yahoooooomail.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])yahoooooomail\.com$/i"; classtype:trojan-activity; sid:4035981; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/74;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e74 [tlp:white] Outgoing HTTP Domain yahoooooomail.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"yahoooooomail.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])yahoooooomail\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4035982; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/74;) alert dns any any -> any any (msg: "MISP e74 [tlp:white] Domain upgradesystems.info"; dns.query; content:"upgradesystems.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])upgradesystems\.info$/i"; classtype:trojan-activity; sid:4035991; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/74;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e74 [tlp:white] Outgoing HTTP Domain upgradesystems.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"upgradesystems.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])upgradesystems\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4035992; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/74;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e75 [tlp:white] Outgoing URL perfecthosting.co/alert/"; flow:to_server,established; http.uri; content:"perfecthosting.co/alert/"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4036041; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/75;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e75 [tlp:white] Outgoing URL perfecthosting.co/alert/123.mp3"; flow:to_server,established; http.uri; content:"perfecthosting.co/alert/123.mp3"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4036051; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/75;) alert ip $HOME_NET any -> 79.170.44.106 any (msg: "MISP e75 [tlp:white] Outgoing To IP: 79.170.44.106"; classtype:trojan-activity; sid:4036061; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/75;) alert dns any any -> any any (msg: "MISP e76 [tlp:white] Domain abc24news.com"; dns.query; content:"abc24news.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])abc24news\.com$/i"; classtype:trojan-activity; sid:4036081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/76;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e76 [tlp:white] Outgoing HTTP Domain abc24news.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"abc24news.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])abc24news\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4036082; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/76;) alert dns any any -> any any (msg: "MISP e76 [tlp:white] Domain defenceglobalnews.com"; dns.query; content:"defenceglobalnews.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])defenceglobalnews\.com$/i"; classtype:trojan-activity; sid:4036091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/76;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e76 [tlp:white] Outgoing HTTP Domain defenceglobalnews.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"defenceglobalnews.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])defenceglobalnews\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4036092; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/76;) alert dns any any -> any any (msg: "MISP e76 [tlp:white] Domain globaldefencetalk.com"; dns.query; content:"globaldefencetalk.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])globaldefencetalk\.com$/i"; classtype:trojan-activity; sid:4036101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/76;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e76 [tlp:white] Outgoing HTTP Domain globaldefencetalk.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"globaldefencetalk.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])globaldefencetalk\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4036102; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/76;) alert dns any any -> any any (msg: "MISP e76 [tlp:white] Domain politlco.com"; dns.query; content:"politlco.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])politlco\.com$/i"; classtype:trojan-activity; sid:4036111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/76;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e76 [tlp:white] Outgoing HTTP Domain politlco.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"politlco.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])politlco\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4036112; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/76;) alert dns any any -> any any (msg: "MISP e76 [tlp:white] Domain pressservices.net"; dns.query; content:"pressservices.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])pressservices\.net$/i"; classtype:trojan-activity; sid:4036121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/76;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e76 [tlp:white] Outgoing HTTP Domain pressservices.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pressservices.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pressservices\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4036122; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/76;) alert dns any any -> any any (msg: "MISP e76 [tlp:white] Domain washingtnpostnews.com"; dns.query; content:"washingtnpostnews.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])washingtnpostnews\.com$/i"; classtype:trojan-activity; sid:4036131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/76;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e76 [tlp:white] Outgoing HTTP Domain washingtnpostnews.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"washingtnpostnews.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])washingtnpostnews\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4036132; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/76;) alert dns any any -> any any (msg: "MISP e76 [tlp:white] Domain worldpressjournal.com"; dns.query; content:"worldpressjournal.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])worldpressjournal\.com$/i"; classtype:trojan-activity; sid:4036141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/76;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e76 [tlp:white] Outgoing HTTP Domain worldpressjournal.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"worldpressjournal.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])worldpressjournal\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4036142; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/76;) alert dns any any -> any any (msg: "MISP e76 [tlp:white] Domain worldpostjournal.com"; dns.query; content:"worldpostjournal.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])worldpostjournal\.com$/i"; classtype:trojan-activity; sid:4036151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/76;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e76 [tlp:white] Outgoing HTTP Domain worldpostjournal.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"worldpostjournal.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])worldpostjournal\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4036152; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/76;) alert dns any any -> any any (msg: "MISP e76 [tlp:white] Domain microsoftstoreservice.com"; dns.query; content:"microsoftstoreservice.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])microsoftstoreservice\.com$/i"; classtype:trojan-activity; sid:4036191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/76;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e76 [tlp:white] Outgoing HTTP Domain microsoftstoreservice.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"microsoftstoreservice.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])microsoftstoreservice\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4036192; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/76;) alert dns any any -> any any (msg: "MISP e76 [tlp:white] Domain servicetlnt.net"; dns.query; content:"servicetlnt.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])servicetlnt\.net$/i"; classtype:trojan-activity; sid:4036201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/76;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e76 [tlp:white] Outgoing HTTP Domain servicetlnt.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"servicetlnt.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])servicetlnt\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4036202; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/76;) alert dns any any -> any any (msg: "MISP e76 [tlp:white] Domain windowsdefltr.net"; dns.query; content:"windowsdefltr.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])windowsdefltr\.net$/i"; classtype:trojan-activity; sid:4036211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/76;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e76 [tlp:white] Outgoing HTTP Domain windowsdefltr.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"windowsdefltr.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])windowsdefltr\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4036212; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/76;) alert dns any any -> any any (msg: "MISP e76 [tlp:white] Domain appexsrv.net"; dns.query; content:"appexsrv.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])appexsrv\.net$/i"; classtype:trojan-activity; sid:4036221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/76;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e76 [tlp:white] Outgoing HTTP Domain appexsrv.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"appexsrv.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])appexsrv\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4036222; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/76;) alert dns any any -> any any (msg: "MISP e76 [tlp:white] Domain securityprotectingcorp.com"; dns.query; content:"securityprotectingcorp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])securityprotectingcorp\.com$/i"; classtype:trojan-activity; sid:4036231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/76;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e76 [tlp:white] Outgoing HTTP Domain securityprotectingcorp.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"securityprotectingcorp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])securityprotectingcorp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4036232; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/76;) alert dns any any -> any any (msg: "MISP e76 [tlp:white] Domain uniquecorpind.com"; dns.query; content:"uniquecorpind.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])uniquecorpind\.com$/i"; classtype:trojan-activity; sid:4036241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/76;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e76 [tlp:white] Outgoing HTTP Domain uniquecorpind.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uniquecorpind.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uniquecorpind\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4036242; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/76;) alert dns any any -> any any (msg: "MISP e76 [tlp:white] Domain versiontask.com"; dns.query; content:"versiontask.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])versiontask\.com$/i"; classtype:trojan-activity; sid:4036251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/76;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e76 [tlp:white] Outgoing HTTP Domain versiontask.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"versiontask.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])versiontask\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4036252; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/76;) alert dns any any -> any any (msg: "MISP e77 [tlp:white] Domain cis-criminal-report.com"; dns.query; content:"cis-criminal-report.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])cis\-criminal\-report\.com$/i"; classtype:trojan-activity; sid:4036271; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/77;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e77 [tlp:white] Outgoing HTTP Domain cis-criminal-report.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cis-criminal-report.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cis\-criminal\-report\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4036272; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/77;) alert dns any any -> any any (msg: "MISP e77 [tlp:white] Domain criminal-report.in"; dns.query; content:"criminal-report.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])criminal\-report\.in$/i"; classtype:trojan-activity; sid:4036281; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/77;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e77 [tlp:white] Outgoing HTTP Domain criminal-report.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"criminal-report.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])criminal\-report\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4036282; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/77;) alert dns any any -> any any (msg: "MISP e77 [tlp:white] Domain violation-report.in"; dns.query; content:"violation-report.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])violation\-report\.in$/i"; classtype:trojan-activity; sid:4036301; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/77;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e77 [tlp:white] Outgoing HTTP Domain violation-report.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"violation-report.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])violation\-report\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4036302; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/77;) alert dns any any -> any any (msg: "MISP e77 [tlp:white] Domain latexfetishsex.com"; dns.query; content:"latexfetishsex.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])latexfetishsex\.com$/i"; classtype:trojan-activity; sid:4036311; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/77;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e77 [tlp:white] Outgoing HTTP Domain latexfetishsex.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"latexfetishsex.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])latexfetishsex\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4036312; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/77;) alert ip $HOME_NET any -> 78.47.134.204 any (msg: "MISP e77 [tlp:white] Outgoing To IP: 78.47.134.204"; classtype:trojan-activity; sid:4036321; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/77;) alert dns any any -> any any (msg: "MISP e77 [tlp:white] Domain italy-girls.mobi"; dns.query; content:"italy-girls.mobi"; nocase; pcre: "/(^|[^A-Za-z0-9-])italy\-girls\.mobi$/i"; classtype:trojan-activity; sid:4036331; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/77;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e77 [tlp:white] Outgoing HTTP Domain italy-girls.mobi"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"italy-girls.mobi"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])italy\-girls\.mobi[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4036332; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/77;) alert ip $HOME_NET any -> 5.9.86.131 any (msg: "MISP e77 [tlp:white] Outgoing To IP: 5.9.86.131"; classtype:trojan-activity; sid:4036341; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/77;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e78 [tlp:white] Outgoing URL http|3a|//revital-travel.com/cssSiteteTemplates"; flow:to_server,established; http.header; content:"revital-travel.com"; fast_pattern; nocase; http.uri; content:"/cssSiteteTemplates"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4036401; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/78;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e78 [tlp:white] Outgoing URL http|3a|//juste-travel.com/cssSiteteTemplates"; flow:to_server,established; http.header; content:"juste-travel.com"; fast_pattern; nocase; http.uri; content:"/cssSiteteTemplates"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4036411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/78;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e78 [tlp:white] Outgoing URL http|3a|//park-travels.com"; flow:to_server,established; http.header; content:"park-travels.com"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4036421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/78;) alert http $HOME_NET any -> 95.215.46.249 $HTTP_PORTS (msg: "MISP e78 [tlp:white] Outgoing URL http|3a|//95.215.46.249"; flow:to_server,established; http.header; content:"95.215.46.249"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4036431; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/78;) alert ip $HOME_NET any -> 179.43.133.34 any (msg: "MISP e78 [tlp:white] Outgoing To IP: 179.43.133.34"; classtype:trojan-activity; sid:4036441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/78;) alert ip $HOME_NET any -> 192.99.14.211 any (msg: "MISP e78 [tlp:white] Outgoing To IP: 192.99.14.211"; classtype:trojan-activity; sid:4036451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/78;) alert http $HOME_NET any -> 148.251.18.75 $HTTP_PORTS (msg: "MISP e78 [tlp:white] Outgoing URL http|3a|//148.251.18.75"; flow:to_server,established; http.header; content:"148.251.18.75"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4036461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/78;) alert http $HOME_NET any -> 95.215.46.221 $HTTP_PORTS (msg: "MISP e78 [tlp:white] Outgoing URL http|3a|//95.215.46.221"; flow:to_server,established; http.header; content:"95.215.46.221"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4036471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/78;) alert http $HOME_NET any -> 95.215.46.229 $HTTP_PORTS (msg: "MISP e78 [tlp:white] Outgoing URL http|3a|//95.215.46.229"; flow:to_server,established; http.header; content:"95.215.46.229"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4036481; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/78;) alert http $HOME_NET any -> 95.215.46.234 $HTTP_PORTS (msg: "MISP e78 [tlp:white] Outgoing URL http|3a|//95.215.46.234"; flow:to_server,established; http.header; content:"95.215.46.234"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4036491; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/78;) alert http $HOME_NET any -> 81.17.28.124 $HTTP_PORTS (msg: "MISP e78 [tlp:white] Outgoing URL http|3a|//81.17.28.124"; flow:to_server,established; http.header; content:"81.17.28.124"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4036501; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/78;) alert ip $HOME_NET any -> 5.45.179.173 any (msg: "MISP e78 [tlp:white] Outgoing To IP: 5.45.179.173"; classtype:trojan-activity; sid:4036541; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/78;) alert ip $HOME_NET any -> 92.215.45.94 any (msg: "MISP e78 [tlp:white] Outgoing To IP: 92.215.45.94"; classtype:trojan-activity; sid:4036551; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/78;) alert ip $HOME_NET any -> 188.214.129.65 any (msg: "MISP e79 [tlp:white] Outgoing To IP: 188.214.129.65"; classtype:trojan-activity; sid:4036831; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/79;) alert ip $HOME_NET any -> 94.130.120.179 any (msg: "MISP e79 [tlp:white] Outgoing To IP: 94.130.120.179"; classtype:trojan-activity; sid:4036841; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/79;) alert ip $HOME_NET any -> 23.152.0.210 any (msg: "MISP e79 [tlp:white] Outgoing To IP: 23.152.0.210"; classtype:trojan-activity; sid:4036851; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/79;) alert ip $HOME_NET any -> 95.215.45.221 any (msg: "MISP e79 [tlp:white] Outgoing To IP: 95.215.45.221"; classtype:trojan-activity; sid:4036861; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/79;) alert ip $HOME_NET any -> 84.200.84.241 any (msg: "MISP e79 [tlp:white] Outgoing To IP: 84.200.84.241"; classtype:trojan-activity; sid:4036871; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/79;) alert ip $HOME_NET any -> 95.183.51.24 any (msg: "MISP e79 [tlp:white] Outgoing To IP: 95.183.51.24"; classtype:trojan-activity; sid:4036881; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/79;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e79 [tlp:white] Outgoing URL http|3a|//korolev-okna.ru/beacon.exe"; flow:to_server,established; http.header; content:"korolev-okna.ru"; fast_pattern; nocase; http.uri; content:"/beacon.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4036891; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/79;) alert http $HOME_NET any -> 50.115.164.10 $HTTP_PORTS (msg: "MISP e79 [tlp:white] Outgoing URL http|3a|//50.115.164.10/update.exe"; flow:to_server,established; http.header; content:"50.115.164.10"; fast_pattern; nocase; http.uri; content:"/update.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4036901; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/79;) alert http $HOME_NET any -> 176.31.79.123 $HTTP_PORTS (msg: "MISP e79 [tlp:white] Outgoing URL http|3a|//176.31.79.123/~tolipresorts/nig.exe"; flow:to_server,established; http.header; content:"176.31.79.123"; fast_pattern; nocase; http.uri; content:"/~tolipresorts/nig.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4036911; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/79;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e79 [tlp:white] Outgoing URL http|3a|//durok.net/|30 78|/1.exe"; flow:to_server,established; http.header; content:"durok.net"; fast_pattern; nocase; http.uri; content:"/0x/1.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4036921; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/79;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e79 [tlp:white] Outgoing URL http|3a|//www.sport7boxe.com/METOO.exe"; flow:to_server,established; http.header; content:"www.sport7boxe.com"; fast_pattern; nocase; http.uri; content:"/METOO.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4036931; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/79;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e79 [tlp:white] Outgoing URL http|3a|//methninja.tk/private/hawkraw.exe"; flow:to_server,established; http.header; content:"methninja.tk"; fast_pattern; nocase; http.uri; content:"/private/hawkraw.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4036941; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/79;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e79 [tlp:white] Outgoing URL https|3a|//23.152.0.210/GizS"; tls.sni; content:"23.152.0.210"; tag:session,600,seconds; classtype:trojan-activity; sid:4036951; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/79;) alert dns any any -> any any (msg: "MISP e80 [tlp:white] Domain securityupdates.us"; dns.query; content:"securityupdates.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])securityupdates\.us$/i"; classtype:trojan-activity; sid:4036991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/80;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e80 [tlp:white] Outgoing HTTP Domain securityupdates.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"securityupdates.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])securityupdates\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4036992; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/80;) alert dns any any -> any any (msg: "MISP e80 [tlp:white] Domain tr069.pw"; dns.query; content:"tr069.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])tr069\.pw$/i"; classtype:trojan-activity; sid:4037011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/80;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e80 [tlp:white] Outgoing HTTP Domain tr069.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tr069.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tr069\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4037012; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/80;) alert dns any any -> any any (msg: "MISP e80 [tlp:white] Domain srrys.pw"; dns.query; content:"srrys.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])srrys\.pw$/i"; classtype:trojan-activity; sid:4037021; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/80;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e80 [tlp:white] Outgoing HTTP Domain srrys.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"srrys.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])srrys\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4037022; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/80;) alert ip $HOME_NET any -> 93.174.93.50 any (msg: "MISP e80 [tlp:white] Outgoing To IP: 93.174.93.50"; classtype:trojan-activity; sid:4037031; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/80;) alert ip $HOME_NET any -> 188.209.49.64 any (msg: "MISP e80 [tlp:white] Outgoing To IP: 188.209.49.64"; classtype:trojan-activity; sid:4037041; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/80;) alert ip $HOME_NET any -> 188.209.49.86 any (msg: "MISP e80 [tlp:white] Outgoing To IP: 188.209.49.86"; classtype:trojan-activity; sid:4037051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/80;) alert ip $HOME_NET any -> 188.209.49.60 any (msg: "MISP e80 [tlp:white] Outgoing To IP: 188.209.49.60"; classtype:trojan-activity; sid:4037061; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/80;) alert ip $HOME_NET any -> 188.209.49.168 any (msg: "MISP e80 [tlp:white] Outgoing To IP: 188.209.49.168"; classtype:trojan-activity; sid:4037071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/80;) alert ip $HOME_NET any -> 5.8.65.1 any (msg: "MISP e80 [tlp:white] Outgoing To IP: 5.8.65.1"; classtype:trojan-activity; sid:4037081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/80;) alert ip $HOME_NET any -> 5.188.232.1 any (msg: "MISP e80 [tlp:white] Outgoing To IP: 5.188.232.1"; classtype:trojan-activity; sid:4037091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/80;) alert ip $HOME_NET any -> 5.188.232.2 any (msg: "MISP e80 [tlp:white] Outgoing To IP: 5.188.232.2"; classtype:trojan-activity; sid:4037101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/80;) alert ip $HOME_NET any -> 5.188.232.3 any (msg: "MISP e80 [tlp:white] Outgoing To IP: 5.188.232.3"; classtype:trojan-activity; sid:4037111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/80;) alert ip $HOME_NET any -> 5.188.232.4 any (msg: "MISP e80 [tlp:white] Outgoing To IP: 5.188.232.4"; classtype:trojan-activity; sid:4037121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/80;) alert ip $HOME_NET any -> 212.92.127.146 any (msg: "MISP e80 [tlp:white] Outgoing To IP: 212.92.127.146"; classtype:trojan-activity; sid:4037131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/80;) alert ip $HOME_NET any -> 5.188.232.71 any (msg: "MISP e80 [tlp:white] Outgoing To IP: 5.188.232.71"; classtype:trojan-activity; sid:4037141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/80;) alert ip $HOME_NET any -> 5.188.232.141 any (msg: "MISP e80 [tlp:white] Outgoing To IP: 5.188.232.141"; classtype:trojan-activity; sid:4037151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/80;) alert ip $HOME_NET any -> 5.188.232.152 any (msg: "MISP e80 [tlp:white] Outgoing To IP: 5.188.232.152"; classtype:trojan-activity; sid:4037161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/80;) alert ip $HOME_NET any -> 37.139.59.69 any (msg: "MISP e80 [tlp:white] Outgoing To IP: 37.139.59.69"; classtype:trojan-activity; sid:4037171; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/80;) alert ip $HOME_NET any -> 93.190.137.212 any (msg: "MISP e81 [tlp:white] Outgoing To IP: 93.190.137.212"; classtype:trojan-activity; sid:4037351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/81;) alert ip $HOME_NET any -> 95.141.37.3 any (msg: "MISP e81 [tlp:white] Outgoing To IP: 95.141.37.3"; classtype:trojan-activity; sid:4037361; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/81;) alert ip $HOME_NET any -> 80.233.134.147 any (msg: "MISP e81 [tlp:white] Outgoing To IP: 80.233.134.147"; classtype:trojan-activity; sid:4037371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/81;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Domain alreyadbplastics.com"; dns.query; content:"alreyadbplastics.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])alreyadbplastics\.com$/i"; classtype:trojan-activity; sid:4038951; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Domain alreyadbplastics.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"alreyadbplastics.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])alreyadbplastics\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4038952; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Domain xpweb.win"; dns.query; content:"xpweb.win"; nocase; pcre: "/(^|[^A-Za-z0-9-])xpweb\.win$/i"; classtype:trojan-activity; sid:4038961; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Domain xpweb.win"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"xpweb.win"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])xpweb\.win[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4038962; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Domain heinevy.com"; dns.query; content:"heinevy.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])heinevy\.com$/i"; classtype:trojan-activity; sid:4038971; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Domain heinevy.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"heinevy.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])heinevy\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4038972; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Domain overseas-operation.com"; dns.query; content:"overseas-operation.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])overseas\-operation\.com$/i"; classtype:trojan-activity; sid:4038981; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Domain overseas-operation.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"overseas-operation.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])overseas\-operation\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4038982; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Domain metaksen.com"; dns.query; content:"metaksen.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])metaksen\.com$/i"; classtype:trojan-activity; sid:4038991; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Domain metaksen.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"metaksen.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])metaksen\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4038992; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Domain charlogistics.com"; dns.query; content:"charlogistics.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])charlogistics\.com$/i"; classtype:trojan-activity; sid:4039001; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Domain charlogistics.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"charlogistics.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])charlogistics\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039002; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Domain btinterment.com"; dns.query; content:"btinterment.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])btinterment\.com$/i"; classtype:trojan-activity; sid:4039011; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Domain btinterment.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"btinterment.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])btinterment\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039012; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Domain kinqnuts-raaphorst.com"; dns.query; content:"kinqnuts-raaphorst.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])kinqnuts\-raaphorst\.com$/i"; classtype:trojan-activity; sid:4039021; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Domain kinqnuts-raaphorst.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kinqnuts-raaphorst.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kinqnuts\-raaphorst\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039022; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Domain watersysterns.com"; dns.query; content:"watersysterns.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])watersysterns\.com$/i"; classtype:trojan-activity; sid:4039031; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Domain watersysterns.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"watersysterns.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])watersysterns\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039032; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Domain hidroquil-ar.com"; dns.query; content:"hidroquil-ar.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])hidroquil\-ar\.com$/i"; classtype:trojan-activity; sid:4039041; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Domain hidroquil-ar.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hidroquil-ar.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hidroquil\-ar\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039042; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Domain thai-nidhi.com"; dns.query; content:"thai-nidhi.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])thai\-nidhi\.com$/i"; classtype:trojan-activity; sid:4039051; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Domain thai-nidhi.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"thai-nidhi.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])thai\-nidhi\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039052; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Domain ms45-hinet.net"; dns.query; content:"ms45-hinet.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])ms45\-hinet\.net$/i"; classtype:trojan-activity; sid:4039061; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Domain ms45-hinet.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ms45-hinet.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ms45\-hinet\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039062; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Domain fullone2u.com"; dns.query; content:"fullone2u.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])fullone2u\.com$/i"; classtype:trojan-activity; sid:4039071; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Domain fullone2u.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fullone2u.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fullone2u\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039072; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Domain poolkingsthailand.com"; dns.query; content:"poolkingsthailand.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])poolkingsthailand\.com$/i"; classtype:trojan-activity; sid:4039081; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Domain poolkingsthailand.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"poolkingsthailand.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])poolkingsthailand\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039082; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Domain soaaxa.biz"; dns.query; content:"soaaxa.biz"; nocase; pcre: "/(^|[^A-Za-z0-9-])soaaxa\.biz$/i"; classtype:trojan-activity; sid:4039091; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Domain soaaxa.biz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"soaaxa.biz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])soaaxa\.biz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039092; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Domain restarz.biz"; dns.query; content:"restarz.biz"; nocase; pcre: "/(^|[^A-Za-z0-9-])restarz\.biz$/i"; classtype:trojan-activity; sid:4039101; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Domain restarz.biz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"restarz.biz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])restarz\.biz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039102; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Domain galaxystarshop.com"; dns.query; content:"galaxystarshop.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])galaxystarshop\.com$/i"; classtype:trojan-activity; sid:4039111; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Domain galaxystarshop.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"galaxystarshop.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])galaxystarshop\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039112; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Domain asappyco.biz"; dns.query; content:"asappyco.biz"; nocase; pcre: "/(^|[^A-Za-z0-9-])asappyco\.biz$/i"; classtype:trojan-activity; sid:4039121; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Domain asappyco.biz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"asappyco.biz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])asappyco\.biz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039122; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Domain gettoworkzz.biz"; dns.query; content:"gettoworkzz.biz"; nocase; pcre: "/(^|[^A-Za-z0-9-])gettoworkzz\.biz$/i"; classtype:trojan-activity; sid:4039131; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Domain gettoworkzz.biz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gettoworkzz.biz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gettoworkzz\.biz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039132; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Domain yasive.biz"; dns.query; content:"yasive.biz"; nocase; pcre: "/(^|[^A-Za-z0-9-])yasive\.biz$/i"; classtype:trojan-activity; sid:4039141; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Domain yasive.biz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"yasive.biz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])yasive\.biz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039142; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Domain alu-heat.biz"; dns.query; content:"alu-heat.biz"; nocase; pcre: "/(^|[^A-Za-z0-9-])alu\-heat\.biz$/i"; classtype:trojan-activity; sid:4039151; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Domain alu-heat.biz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"alu-heat.biz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])alu\-heat\.biz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039152; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert ip $HOME_NET any -> 66.23.226.40 any (msg: "MISP e84 [tlp:white] Outgoing To IP: 66.23.226.40"; classtype:trojan-activity; sid:4039161; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Domain sinctruk.com"; dns.query; content:"sinctruk.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sinctruk\.com$/i"; classtype:trojan-activity; sid:4039171; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Domain sinctruk.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sinctruk.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sinctruk\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039172; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Domain pguy.faith"; dns.query; content:"pguy.faith"; nocase; pcre: "/(^|[^A-Za-z0-9-])pguy\.faith$/i"; classtype:trojan-activity; sid:4039181; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Domain pguy.faith"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pguy.faith"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pguy\.faith[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039182; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Domain chunfenqlighting.com"; dns.query; content:"chunfenqlighting.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])chunfenqlighting\.com$/i"; classtype:trojan-activity; sid:4039191; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Domain chunfenqlighting.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"chunfenqlighting.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])chunfenqlighting\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039192; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Domain hunterkaysmoves.in"; dns.query; content:"hunterkaysmoves.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])hunterkaysmoves\.in$/i"; classtype:trojan-activity; sid:4039201; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Domain hunterkaysmoves.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hunterkaysmoves.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hunterkaysmoves\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039202; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Domain danqote.com"; dns.query; content:"danqote.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])danqote\.com$/i"; classtype:trojan-activity; sid:4039211; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Domain danqote.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"danqote.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])danqote\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039212; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Domain biblesoceities.org"; dns.query; content:"biblesoceities.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])biblesoceities\.org$/i"; classtype:trojan-activity; sid:4039221; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Domain biblesoceities.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"biblesoceities.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])biblesoceities\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039222; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Domain sympetax.com"; dns.query; content:"sympetax.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sympetax\.com$/i"; classtype:trojan-activity; sid:4039231; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Domain sympetax.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sympetax.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sympetax\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039232; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Domain lumibrigth.com"; dns.query; content:"lumibrigth.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])lumibrigth\.com$/i"; classtype:trojan-activity; sid:4039241; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Domain lumibrigth.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lumibrigth.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lumibrigth\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039242; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Domain bothela-orsaro.com"; dns.query; content:"bothela-orsaro.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bothela\-orsaro\.com$/i"; classtype:trojan-activity; sid:4039251; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Domain bothela-orsaro.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bothela-orsaro.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bothela\-orsaro\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039252; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Hostname www.creativeforwardings.cf"; dns.query; content:"www.creativeforwardings.cf"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.creativeforwardings\.cf$/i"; classtype:trojan-activity; sid:4039411; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Hostname www.creativeforwardings.cf"; flow:to_server,established; http.header; content: "Host|3a| www.creativeforwardings.cf"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.creativeforwardings\.cf[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039412; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Hostname shadowwalkersonline.co.uk"; dns.query; content:"shadowwalkersonline.co.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])shadowwalkersonline\.co\.uk$/i"; classtype:trojan-activity; sid:4039421; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Hostname shadowwalkersonline.co.uk"; flow:to_server,established; http.header; content: "Host|3a| shadowwalkersonline.co.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])shadowwalkersonline\.co\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039422; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Hostname owwalkersonline.co.uk"; dns.query; content:"owwalkersonline.co.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])owwalkersonline\.co\.uk$/i"; classtype:trojan-activity; sid:4039431; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Hostname owwalkersonline.co.uk"; flow:to_server,established; http.header; content: "Host|3a| owwalkersonline.co.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])owwalkersonline\.co\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039432; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Hostname www.ballerpushers.cf"; dns.query; content:"www.ballerpushers.cf"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.ballerpushers\.cf$/i"; classtype:trojan-activity; sid:4039441; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Hostname www.ballerpushers.cf"; flow:to_server,established; http.header; content: "Host|3a| www.ballerpushers.cf"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.ballerpushers\.cf[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039442; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Hostname remote.legacyrealestateadvisors.net"; dns.query; content:"remote.legacyrealestateadvisors.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])remote\.legacyrealestateadvisors\.net$/i"; classtype:trojan-activity; sid:4039451; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Hostname remote.legacyrealestateadvisors.net"; flow:to_server,established; http.header; content: "Host|3a| remote.legacyrealestateadvisors.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])remote\.legacyrealestateadvisors\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039452; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Hostname alibabadns.legacyrealestateadvisors.net"; dns.query; content:"alibabadns.legacyrealestateadvisors.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])alibabadns\.legacyrealestateadvisors\.net$/i"; classtype:trojan-activity; sid:4039461; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Hostname alibabadns.legacyrealestateadvisors.net"; flow:to_server,established; http.header; content: "Host|3a| alibabadns.legacyrealestateadvisors.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])alibabadns\.legacyrealestateadvisors\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039462; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Domain hardworkzone.cf"; dns.query; content:"hardworkzone.cf"; nocase; pcre: "/(^|[^A-Za-z0-9-])hardworkzone\.cf$/i"; classtype:trojan-activity; sid:4039681; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Domain hardworkzone.cf"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hardworkzone.cf"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hardworkzone\.cf[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039682; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Hostname ivicker.usa.cc"; dns.query; content:"ivicker.usa.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ivicker\.usa\.cc$/i"; classtype:trojan-activity; sid:4039691; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Hostname ivicker.usa.cc"; flow:to_server,established; http.header; content: "Host|3a| ivicker.usa.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ivicker\.usa\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039692; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Hostname limco.usa.cc"; dns.query; content:"limco.usa.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])limco\.usa\.cc$/i"; classtype:trojan-activity; sid:4039701; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Hostname limco.usa.cc"; flow:to_server,established; http.header; content: "Host|3a| limco.usa.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])limco\.usa\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039702; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Hostname cs19335.tmweb.ru"; dns.query; content:"cs19335.tmweb.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cs19335\.tmweb\.ru$/i"; classtype:trojan-activity; sid:4039711; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Hostname cs19335.tmweb.ru"; flow:to_server,established; http.header; content: "Host|3a| cs19335.tmweb.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cs19335\.tmweb\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039712; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Domain mirchifunz.in"; dns.query; content:"mirchifunz.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])mirchifunz\.in$/i"; classtype:trojan-activity; sid:4039721; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Domain mirchifunz.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mirchifunz.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mirchifunz\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039722; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert ip $HOME_NET any -> 178.175.138.196 any (msg: "MISP e84 [tlp:white] Outgoing To IP: 178.175.138.196"; classtype:trojan-activity; sid:4039751; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Hostname gavingo2135235.ddns.net"; dns.query; content:"gavingo2135235.ddns.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])gavingo2135235\.ddns\.net$/i"; classtype:trojan-activity; sid:4039761; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Hostname gavingo2135235.ddns.net"; flow:to_server,established; http.header; content: "Host|3a| gavingo2135235.ddns.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])gavingo2135235\.ddns\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039762; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Hostname www.spmersclub.cf"; dns.query; content:"www.spmersclub.cf"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.spmersclub\.cf$/i"; classtype:trojan-activity; sid:4039771; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Hostname www.spmersclub.cf"; flow:to_server,established; http.header; content: "Host|3a| www.spmersclub.cf"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.spmersclub\.cf[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039772; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e84 [tlp:white] Domain hungasidy.biz"; dns.query; content:"hungasidy.biz"; nocase; pcre: "/(^|[^A-Za-z0-9-])hungasidy\.biz$/i"; classtype:trojan-activity; sid:4039921; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e84 [tlp:white] Outgoing HTTP Domain hungasidy.biz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hungasidy.biz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hungasidy\.biz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4039922; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert ip $HOME_NET any -> 186.202.127.132 any (msg: "MISP e84 [tlp:white] Outgoing To IP: 186.202.127.132"; classtype:trojan-activity; sid:4039931; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/84;) alert dns any any -> any any (msg: "MISP e86 [tlp:white] Domain eyepyramid.com"; dns.query; content:"eyepyramid.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])eyepyramid\.com$/i"; classtype:trojan-activity; sid:4042551; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/86;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e86 [tlp:white] Outgoing HTTP Domain eyepyramid.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"eyepyramid.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])eyepyramid\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4042552; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/86;) alert dns any any -> any any (msg: "MISP e86 [tlp:white] Domain hostpenta.com"; dns.query; content:"hostpenta.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])hostpenta\.com$/i"; classtype:trojan-activity; sid:4042561; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/86;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e86 [tlp:white] Outgoing HTTP Domain hostpenta.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hostpenta.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hostpenta\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4042562; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/86;) alert dns any any -> any any (msg: "MISP e86 [tlp:white] Domain ayexisfitness.com"; dns.query; content:"ayexisfitness.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ayexisfitness\.com$/i"; classtype:trojan-activity; sid:4042571; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/86;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e86 [tlp:white] Outgoing HTTP Domain ayexisfitness.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ayexisfitness.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ayexisfitness\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4042572; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/86;) alert dns any any -> any any (msg: "MISP e86 [tlp:white] Domain enasrl.com"; dns.query; content:"enasrl.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])enasrl\.com$/i"; classtype:trojan-activity; sid:4042581; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/86;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e86 [tlp:white] Outgoing HTTP Domain enasrl.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"enasrl.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])enasrl\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4042582; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/86;) alert dns any any -> any any (msg: "MISP e86 [tlp:white] Domain eurecoove.com"; dns.query; content:"eurecoove.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])eurecoove\.com$/i"; classtype:trojan-activity; sid:4042591; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/86;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e86 [tlp:white] Outgoing HTTP Domain eurecoove.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"eurecoove.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])eurecoove\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4042592; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/86;) alert dns any any -> any any (msg: "MISP e86 [tlp:white] Domain marashen.com"; dns.query; content:"marashen.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])marashen\.com$/i"; classtype:trojan-activity; sid:4042601; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/86;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e86 [tlp:white] Outgoing HTTP Domain marashen.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"marashen.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])marashen\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4042602; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/86;) alert dns any any -> any any (msg: "MISP e86 [tlp:white] Domain millertaylor.com"; dns.query; content:"millertaylor.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])millertaylor\.com$/i"; classtype:trojan-activity; sid:4042611; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/86;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e86 [tlp:white] Outgoing HTTP Domain millertaylor.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"millertaylor.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])millertaylor\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4042612; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/86;) alert dns any any -> any any (msg: "MISP e86 [tlp:white] Domain occhionero.com"; dns.query; content:"occhionero.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])occhionero\.com$/i"; classtype:trojan-activity; sid:4042621; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/86;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e86 [tlp:white] Outgoing HTTP Domain occhionero.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"occhionero.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])occhionero\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4042622; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/86;) alert dns any any -> any any (msg: "MISP e86 [tlp:white] Domain occhionero.info"; dns.query; content:"occhionero.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])occhionero\.info$/i"; classtype:trojan-activity; sid:4042631; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/86;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e86 [tlp:white] Outgoing HTTP Domain occhionero.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"occhionero.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])occhionero\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4042632; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/86;) alert dns any any -> any any (msg: "MISP e86 [tlp:white] Domain wallserv.com"; dns.query; content:"wallserv.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])wallserv\.com$/i"; classtype:trojan-activity; sid:4042641; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/86;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e86 [tlp:white] Outgoing HTTP Domain wallserv.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wallserv.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wallserv\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4042642; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/86;) alert dns any any -> any any (msg: "MISP e86 [tlp:white] Domain westlands.com"; dns.query; content:"westlands.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])westlands\.com$/i"; classtype:trojan-activity; sid:4042651; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/86;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e86 [tlp:white] Outgoing HTTP Domain westlands.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"westlands.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])westlands\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4042652; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/86;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e87 [tlp:white] Outgoing URL https|3a|//script.google.com/macros/s/AKfycbzuykcvX7j3TlBNyQfxtB1mqii31b4VTON640yiRJT0t6rS4s4/exec"; tls.sni; content:"script.google.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4042711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/87;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e87 [tlp:white] Outgoing URL https|3a|//script.google.com/macros/s/AKfycbxxx5DHr0F8AYhLuDjnp7kGNELq6g27J4c_JWWx1p1nDfZh6InO/exec"; tls.sni; content:"script.google.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4042721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/87;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e87 [tlp:white] Outgoing URL https|3a|//script.google.com/macros/s/AKfycbwZHCgg5EsCiPup_mNxDbSX7k7yBMeXWenOVN1BWXHmyBpb8ng/exec"; tls.sni; content:"script.google.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4042731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/87;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e87 [tlp:white] Outgoing URL https|3a|//docs.google.com/forms/d/e/1FAIpQLScx9gwNadC7Vjo11mXLbU3aBQRrqVpoWjmNJ1ZneqpjaYLE3g/formResponse"; tls.sni; content:"docs.google.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4042741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/87;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e87 [tlp:white] Outgoing URL https|3a|//docs.google.com/forms/d/e/1FAIpQLSfE9kshYBFSDAfRclW8m9rAdajqoYhzhEYmEAgZexE3LQ-17A/formResponse"; tls.sni; content:"docs.google.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4042751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/87;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e87 [tlp:white] Outgoing URL https|3a|//docs.google.com/forms/d/e/1FAIpQLSdcdE7lTEiqV5MW3Up8Hgcy5NGkIKnLKoe0YPFriD4_9qYq9A/formResponse"; tls.sni; content:"docs.google.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4042761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/87;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e87 [tlp:white] Outgoing URL http|3a|//atlantis-bahamas.com/css/informs.jsp"; flow:to_server,established; http.header; content:"atlantis-bahamas.com"; fast_pattern; nocase; http.uri; content:"/css/informs.jsp"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4042771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/87;) alert http $HOME_NET any -> 138.201.44.4 $HTTP_PORTS (msg: "MISP e87 [tlp:white] Outgoing URL http|3a|//138.201.44.4/informs.jsp"; flow:to_server,established; http.header; content:"138.201.44.4"; fast_pattern; nocase; http.uri; content:"/informs.jsp"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4042781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/87;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e88 [tlp:white] Source Email Address: r6789986@mail.kz"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"r6789986@mail.kz"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4042811; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/88;) alert ip $HOME_NET any -> 108.61.176.96 any (msg: "MISP e90 [tlp:white] Outgoing To IP: 108.61.176.96"; classtype:trojan-activity; sid:4042901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert ip $HOME_NET any -> 104.238.191.204 any (msg: "MISP e90 [tlp:white] Outgoing To IP: 104.238.191.204"; classtype:trojan-activity; sid:4042911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert ip $HOME_NET any -> 176.123.26.42 any (msg: "MISP e90 [tlp:white] Outgoing To IP: 176.123.26.42"; classtype:trojan-activity; sid:4042921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname account-google.serveftp.com"; dns.query; content:"account-google.serveftp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])account\-google\.serveftp\.com$/i"; classtype:trojan-activity; sid:4042931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname account-google.serveftp.com"; flow:to_server,established; http.header; content: "Host|3a| account-google.serveftp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])account\-google\.serveftp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4042932; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname aramex-shipping.servehttp.com"; dns.query; content:"aramex-shipping.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])aramex\-shipping\.servehttp\.com$/i"; classtype:trojan-activity; sid:4042941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname aramex-shipping.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a| aramex-shipping.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])aramex\-shipping\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4042942; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname device-activation.servehttp.com"; dns.query; content:"device-activation.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])device\-activation\.servehttp\.com$/i"; classtype:trojan-activity; sid:4042951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname device-activation.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a| device-activation.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])device\-activation\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4042952; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname dropbox-service.serveftp.com"; dns.query; content:"dropbox-service.serveftp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dropbox\-service\.serveftp\.com$/i"; classtype:trojan-activity; sid:4042961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname dropbox-service.serveftp.com"; flow:to_server,established; http.header; content: "Host|3a| dropbox-service.serveftp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dropbox\-service\.serveftp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4042962; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname dropbox-sign.servehttp.com"; dns.query; content:"dropbox-sign.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dropbox\-sign\.servehttp\.com$/i"; classtype:trojan-activity; sid:4042971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname dropbox-sign.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a| dropbox-sign.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dropbox\-sign\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4042972; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname dropboxsupport.servehttp.com"; dns.query; content:"dropboxsupport.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dropboxsupport\.servehttp\.com$/i"; classtype:trojan-activity; sid:4042981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname dropboxsupport.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a| dropboxsupport.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dropboxsupport\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4042982; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname fedex-mail.servehttp.com"; dns.query; content:"fedex-mail.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])fedex\-mail\.servehttp\.com$/i"; classtype:trojan-activity; sid:4042991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname fedex-mail.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a| fedex-mail.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])fedex\-mail\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4042992; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname fedex-shipping.servehttp.com"; dns.query; content:"fedex-shipping.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])fedex\-shipping\.servehttp\.com$/i"; classtype:trojan-activity; sid:4043001; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname fedex-shipping.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a| fedex-shipping.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])fedex\-shipping\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4043002; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname fedex-sign.servehttp.com"; dns.query; content:"fedex-sign.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])fedex\-sign\.servehttp\.com$/i"; classtype:trojan-activity; sid:4043011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname fedex-sign.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a| fedex-sign.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])fedex\-sign\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4043012; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname googledriver-sign.ddns.net"; dns.query; content:"googledriver-sign.ddns.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])googledriver\-sign\.ddns\.net$/i"; classtype:trojan-activity; sid:4043021; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname googledriver-sign.ddns.net"; flow:to_server,established; http.header; content: "Host|3a| googledriver-sign.ddns.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])googledriver\-sign\.ddns\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4043022; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname googledrive-sign.servehttp.com"; dns.query; content:"googledrive-sign.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])googledrive\-sign\.servehttp\.com$/i"; classtype:trojan-activity; sid:4043031; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname googledrive-sign.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a| googledrive-sign.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])googledrive\-sign\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4043032; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname google-maps.servehttp.com"; dns.query; content:"google-maps.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])google\-maps\.servehttp\.com$/i"; classtype:trojan-activity; sid:4043041; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname google-maps.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a| google-maps.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])google\-maps\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4043042; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname googlesecure-serv.servehttp.com"; dns.query; content:"googlesecure-serv.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])googlesecure\-serv\.servehttp\.com$/i"; classtype:trojan-activity; sid:4043051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname googlesecure-serv.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a| googlesecure-serv.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])googlesecure\-serv\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4043052; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname googlesignin.servehttp.com"; dns.query; content:"googlesignin.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])googlesignin\.servehttp\.com$/i"; classtype:trojan-activity; sid:4043061; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname googlesignin.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a| googlesignin.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])googlesignin\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4043062; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname googleverify-signin.servehttp.com"; dns.query; content:"googleverify-signin.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])googleverify\-signin\.servehttp\.com$/i"; classtype:trojan-activity; sid:4043071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname googleverify-signin.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a| googleverify-signin.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])googleverify\-signin\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4043072; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname mailgooglesign.servehttp.com"; dns.query; content:"mailgooglesign.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mailgooglesign\.servehttp\.com$/i"; classtype:trojan-activity; sid:4043081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname mailgooglesign.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a| mailgooglesign.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mailgooglesign\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4043082; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname myaccount.servehttp.com"; dns.query; content:"myaccount.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])myaccount\.servehttp\.com$/i"; classtype:trojan-activity; sid:4043091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname myaccount.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a| myaccount.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])myaccount\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4043092; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname secure-team.servehttp.com"; dns.query; content:"secure-team.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])secure\-team\.servehttp\.com$/i"; classtype:trojan-activity; sid:4043101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname secure-team.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a| secure-team.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])secure\-team\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4043102; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname security-myaccount.servehttp.com"; dns.query; content:"security-myaccount.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])security\-myaccount\.servehttp\.com$/i"; classtype:trojan-activity; sid:4043111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname security-myaccount.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a| security-myaccount.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])security\-myaccount\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4043112; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname verification-acc.servehttp.com"; dns.query; content:"verification-acc.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])verification\-acc\.servehttp\.com$/i"; classtype:trojan-activity; sid:4043121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname verification-acc.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a| verification-acc.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])verification\-acc\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4043122; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname dropbox-verfy.servehttp.com"; dns.query; content:"dropbox-verfy.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dropbox\-verfy\.servehttp\.com$/i"; classtype:trojan-activity; sid:4043131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname dropbox-verfy.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a| dropbox-verfy.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dropbox\-verfy\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4043132; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname fedex-s.servehttp.com"; dns.query; content:"fedex-s.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])fedex\-s\.servehttp\.com$/i"; classtype:trojan-activity; sid:4043141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname fedex-s.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a| fedex-s.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])fedex\-s\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4043142; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname watchyoutube.servehttp.com"; dns.query; content:"watchyoutube.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])watchyoutube\.servehttp\.com$/i"; classtype:trojan-activity; sid:4043151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname watchyoutube.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a| watchyoutube.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])watchyoutube\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4043152; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname verification-team.servehttp.com"; dns.query; content:"verification-team.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])verification\-team\.servehttp\.com$/i"; classtype:trojan-activity; sid:4043161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname verification-team.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a| verification-team.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])verification\-team\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4043162; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname securityteam-notify.servehttp.com"; dns.query; content:"securityteam-notify.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])securityteam\-notify\.servehttp\.com$/i"; classtype:trojan-activity; sid:4043171; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname securityteam-notify.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a| securityteam-notify.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])securityteam\-notify\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4043172; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname secure-alert.servehttp.com"; dns.query; content:"secure-alert.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])secure\-alert\.servehttp\.com$/i"; classtype:trojan-activity; sid:4043181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname secure-alert.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a| secure-alert.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])secure\-alert\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4043182; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname quota-notification.servehttp.com"; dns.query; content:"quota-notification.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])quota\-notification\.servehttp\.com$/i"; classtype:trojan-activity; sid:4043191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname quota-notification.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a| quota-notification.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])quota\-notification\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4043192; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname notification-team.servehttp.com"; dns.query; content:"notification-team.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])notification\-team\.servehttp\.com$/i"; classtype:trojan-activity; sid:4043201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname notification-team.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a| notification-team.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])notification\-team\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4043202; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname fedex-notification.servehttp.com"; dns.query; content:"fedex-notification.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])fedex\-notification\.servehttp\.com$/i"; classtype:trojan-activity; sid:4043211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname fedex-notification.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a| fedex-notification.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])fedex\-notification\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4043212; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname docs-mails.servehttp.com"; dns.query; content:"docs-mails.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])docs\-mails\.servehttp\.com$/i"; classtype:trojan-activity; sid:4043221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname docs-mails.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a| docs-mails.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])docs\-mails\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4043222; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname restricted-videos.servehttp.com"; dns.query; content:"restricted-videos.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])restricted\-videos\.servehttp\.com$/i"; classtype:trojan-activity; sid:4043231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname restricted-videos.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a| restricted-videos.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])restricted\-videos\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4043232; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname dropboxnotification.servehttp.com"; dns.query; content:"dropboxnotification.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dropboxnotification\.servehttp\.com$/i"; classtype:trojan-activity; sid:4043241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname dropboxnotification.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a| dropboxnotification.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dropboxnotification\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4043242; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname moi-gov.serveftp.com"; dns.query; content:"moi-gov.serveftp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])moi\-gov\.serveftp\.com$/i"; classtype:trojan-activity; sid:4043251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname moi-gov.serveftp.com"; flow:to_server,established; http.header; content: "Host|3a| moi-gov.serveftp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])moi\-gov\.serveftp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4043252; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname activate-google.servehttp.com"; dns.query; content:"activate-google.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])activate\-google\.servehttp\.com$/i"; classtype:trojan-activity; sid:4043261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname activate-google.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a| activate-google.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])activate\-google\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4043262; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert dns any any -> any any (msg: "MISP e90 [tlp:white] Hostname googlemaps.servehttp.com"; dns.query; content:"googlemaps.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])googlemaps\.servehttp\.com$/i"; classtype:trojan-activity; sid:4043271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e90 [tlp:white] Outgoing HTTP Hostname googlemaps.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a| googlemaps.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])googlemaps\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4043272; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e90 [tlp:white] Source Email Address: secure.policy.check@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"secure.policy.check@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4043281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e90 [tlp:white] Source Email Address: aramex.shipment@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"aramex.shipment@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4043291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e90 [tlp:white] Source Email Address: fedex_tracking@outlook.sa"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"fedex_tracking@outlook.sa"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4043301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e90 [tlp:white] Source Email Address: mails.acc.noreply@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"mails.acc.noreply@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4043311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e90 [tlp:white] Source Email Address: fedex.noreply@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"fedex.noreply@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4043321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e90 [tlp:white] Source Email Address: customerserviceonlineteam@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"customerserviceonlineteam@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4043331; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e90 [tlp:white] Source Email Address: fedexcustomers.service@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"fedexcustomers.service@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4043341; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e90 [tlp:white] Source Email Address: elnadeem.org@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"elnadeem.org@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4043351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e90 [tlp:white] Source Email Address: dropbox.noreplay@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"dropbox.noreplay@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4043361; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e90 [tlp:white] Source Email Address: mails.noreply.verify@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"mails.noreply.verify@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4043371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e90 [tlp:white] Source Email Address: fedex.mails.shipping@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"fedex.mails.shipping@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4043381; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e90 [tlp:white] Source Email Address: dropbox.notifications.mails@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"dropbox.notifications.mails@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4043391; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e90 [tlp:white] Source Email Address: dropbox.notfication@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"dropbox.notfication@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4043401; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e90 [tlp:white] Source Email Address: drive.noreply.mail@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"drive.noreply.mail@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4043411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/90;) alert ip $HOME_NET any -> 125.214.195.17 any (msg: "MISP e91 [tlp:white] Outgoing To IP: 125.214.195.17"; classtype:trojan-activity; sid:4043521; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert ip $HOME_NET any -> 196.29.166.218 any (msg: "MISP e91 [tlp:white] Outgoing To IP: 196.29.166.218"; classtype:trojan-activity; sid:4043531; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e91 [tlp:white] Outgoing URL http|3a|//sap.misapor.ch/vishop/view.jsp?pagenum=1"; flow:to_server,established; http.header; content:"sap.misapor.ch"; fast_pattern; nocase; http.uri; content:"/vishop/view.jsp"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4043541; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e91 [tlp:white] Outgoing URL https|3a|//www.eye-watch.in/design/fancybox/Pnf.action"; tls.sni; content:"www.eye-watch.in"; tag:session,600,seconds; classtype:trojan-activity; sid:4043551; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e91 [tlp:white] Outgoing URL knf.gov.pl/DefaultDesign/Layouts/KNF2013/resources/accordian-src.js"; flow:to_server,established; http.uri; content:"knf.gov.pl/DefaultDesign/Layouts/KNF2013/resources/accordian-src.js"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4043641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert dns any any -> any any (msg: "MISP e91 [tlp:white] Hostname www.eye-watch.in"; dns.query; content:"www.eye-watch.in"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.eye\-watch\.in$/i"; classtype:trojan-activity; sid:4043651; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e91 [tlp:white] Outgoing HTTP Hostname www.eye-watch.in"; flow:to_server,established; http.header; content: "Host|3a| www.eye-watch.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.eye\-watch\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4043652; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e91 [tlp:white] Outgoing URL www.eye-watch.in/design/fancybox/Pnf.action"; flow:to_server,established; http.uri; content:"www.eye-watch.in/design/fancybox/Pnf.action"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4043661; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert ip $HOME_NET any -> 1.215.228.230 any (msg: "MISP e91 [tlp:white] Outgoing To IP: 1.215.228.230"; classtype:trojan-activity; sid:4043721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert ip $HOME_NET any -> 107.190.190.21 any (msg: "MISP e91 [tlp:white] Outgoing To IP: 107.190.190.21"; classtype:trojan-activity; sid:4043731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert ip $HOME_NET any -> 116.168.107.32 any (msg: "MISP e91 [tlp:white] Outgoing To IP: 116.168.107.32"; classtype:trojan-activity; sid:4043741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert ip $HOME_NET any -> 120.107.163.79 any (msg: "MISP e91 [tlp:white] Outgoing To IP: 120.107.163.79"; classtype:trojan-activity; sid:4043751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert ip $HOME_NET any -> 129.221.254.13 any (msg: "MISP e91 [tlp:white] Outgoing To IP: 129.221.254.13"; classtype:trojan-activity; sid:4043761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert ip $HOME_NET any -> 131.11.224.116 any (msg: "MISP e91 [tlp:white] Outgoing To IP: 131.11.224.116"; classtype:trojan-activity; sid:4043771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert ip $HOME_NET any -> 140.112.14.16 any (msg: "MISP e91 [tlp:white] Outgoing To IP: 140.112.14.16"; classtype:trojan-activity; sid:4043781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert ip $HOME_NET any -> 169.45.142.150 any (msg: "MISP e91 [tlp:white] Outgoing To IP: 169.45.142.150"; classtype:trojan-activity; sid:4043791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert ip $HOME_NET any -> 17.61.46.70 any (msg: "MISP e91 [tlp:white] Outgoing To IP: 17.61.46.70"; classtype:trojan-activity; sid:4043801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert ip $HOME_NET any -> 18.200.16.237 any (msg: "MISP e91 [tlp:white] Outgoing To IP: 18.200.16.237"; classtype:trojan-activity; sid:4043811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert ip $HOME_NET any -> 182.45.75.93 any (msg: "MISP e91 [tlp:white] Outgoing To IP: 182.45.75.93"; classtype:trojan-activity; sid:4043821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert ip $HOME_NET any -> 203.66.57.237 any (msg: "MISP e91 [tlp:white] Outgoing To IP: 203.66.57.237"; classtype:trojan-activity; sid:4043831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert ip $HOME_NET any -> 203.67.31.17 any (msg: "MISP e91 [tlp:white] Outgoing To IP: 203.67.31.17"; classtype:trojan-activity; sid:4043841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert ip $HOME_NET any -> 204.136.221.47 any (msg: "MISP e91 [tlp:white] Outgoing To IP: 204.136.221.47"; classtype:trojan-activity; sid:4043851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert ip $HOME_NET any -> 206.94.195.86 any (msg: "MISP e91 [tlp:white] Outgoing To IP: 206.94.195.86"; classtype:trojan-activity; sid:4043861; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert ip $HOME_NET any -> 21.190.190.107 any (msg: "MISP e91 [tlp:white] Outgoing To IP: 21.190.190.107"; classtype:trojan-activity; sid:4043871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert ip $HOME_NET any -> 218.224.125.66 any (msg: "MISP e91 [tlp:white] Outgoing To IP: 218.224.125.66"; classtype:trojan-activity; sid:4043881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert ip $HOME_NET any -> 32.107.168.116 any (msg: "MISP e91 [tlp:white] Outgoing To IP: 32.107.168.116"; classtype:trojan-activity; sid:4043891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert ip $HOME_NET any -> 36.61.131.78 any (msg: "MISP e91 [tlp:white] Outgoing To IP: 36.61.131.78"; classtype:trojan-activity; sid:4043901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert ip $HOME_NET any -> 47.221.136.204 any (msg: "MISP e91 [tlp:white] Outgoing To IP: 47.221.136.204"; classtype:trojan-activity; sid:4043911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert ip $HOME_NET any -> 59.120.19.101 any (msg: "MISP e91 [tlp:white] Outgoing To IP: 59.120.19.101"; classtype:trojan-activity; sid:4043921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert ip $HOME_NET any -> 59.173.0.74 any (msg: "MISP e91 [tlp:white] Outgoing To IP: 59.173.0.74"; classtype:trojan-activity; sid:4043931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert ip $HOME_NET any -> 59.43.86.123 any (msg: "MISP e91 [tlp:white] Outgoing To IP: 59.43.86.123"; classtype:trojan-activity; sid:4043941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert ip $HOME_NET any -> 70.46.61.17 any (msg: "MISP e91 [tlp:white] Outgoing To IP: 70.46.61.17"; classtype:trojan-activity; sid:4043951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert ip $HOME_NET any -> 82.144.131.5 any (msg: "MISP e91 [tlp:white] Outgoing To IP: 82.144.131.5"; classtype:trojan-activity; sid:4043961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert ip $HOME_NET any -> 86.195.94.206 any (msg: "MISP e91 [tlp:white] Outgoing To IP: 86.195.94.206"; classtype:trojan-activity; sid:4043971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert ip $HOME_NET any -> 93.75.45.182 any (msg: "MISP e91 [tlp:white] Outgoing To IP: 93.75.45.182"; classtype:trojan-activity; sid:4043981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/91;) alert ip 176.9.36.102 any -> $HOME_NET any (msg: "MISP e92 [tlp:white] Incoming From IP: 176.9.36.102"; classtype:trojan-activity; sid:4043571; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/92;) alert ip 185.116.213.71 any -> $HOME_NET any (msg: "MISP e92 [tlp:white] Incoming From IP: 185.116.213.71"; classtype:trojan-activity; sid:4043581; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/92;) alert ip 134.213.54.163 any -> $HOME_NET any (msg: "MISP e92 [tlp:white] Incoming From IP: 134.213.54.163"; classtype:trojan-activity; sid:4043591; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/92;) alert ip 2a00:1a48:7808:104:9b57:dda6:eb3c:61e1 any -> $HOME_NET any (msg: "MISP e92 [tlp:white] Incoming From IP: 2a00:1a48:7808:104:9b57:dda6:eb3c:61e1"; classtype:trojan-activity; sid:4043601; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/92;) alert ip 37.237.192.22 any -> $HOME_NET any (msg: "MISP e92 [tlp:white] Incoming From IP: 37.237.192.22"; classtype:trojan-activity; sid:4043611; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/92;) alert ip 144.217.81.160 any -> $HOME_NET any (msg: "MISP e92 [tlp:white] Incoming From IP: 144.217.81.160"; classtype:trojan-activity; sid:4043621; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/92;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain algew.me"; dns.query; content:"algew.me"; nocase; pcre: "/(^|[^A-Za-z0-9-])algew\.me$/i"; classtype:trojan-activity; sid:4044001; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain algew.me"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"algew.me"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])algew\.me[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044002; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain aloqd.pw"; dns.query; content:"aloqd.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])aloqd\.pw$/i"; classtype:trojan-activity; sid:4044011; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain aloqd.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aloqd.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aloqd\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044012; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain bpee.pw"; dns.query; content:"bpee.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])bpee\.pw$/i"; classtype:trojan-activity; sid:4044021; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain bpee.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bpee.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bpee\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044022; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain bvyv.club"; dns.query; content:"bvyv.club"; nocase; pcre: "/(^|[^A-Za-z0-9-])bvyv\.club$/i"; classtype:trojan-activity; sid:4044031; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain bvyv.club"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bvyv.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bvyv\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044032; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain bwuk.club"; dns.query; content:"bwuk.club"; nocase; pcre: "/(^|[^A-Za-z0-9-])bwuk\.club$/i"; classtype:trojan-activity; sid:4044041; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain bwuk.club"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bwuk.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bwuk\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044042; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain cgqy.us"; dns.query; content:"cgqy.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])cgqy\.us$/i"; classtype:trojan-activity; sid:4044051; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain cgqy.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cgqy.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cgqy\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044052; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain cihr.site"; dns.query; content:"cihr.site"; nocase; pcre: "/(^|[^A-Za-z0-9-])cihr\.site$/i"; classtype:trojan-activity; sid:4044061; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain cihr.site"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cihr.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cihr\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044062; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain ckwl.pw"; dns.query; content:"ckwl.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])ckwl\.pw$/i"; classtype:trojan-activity; sid:4044071; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain ckwl.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ckwl.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ckwl\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044072; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain cnmah.pw"; dns.query; content:"cnmah.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])cnmah\.pw$/i"; classtype:trojan-activity; sid:4044081; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain cnmah.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cnmah.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cnmah\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044082; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain coec.club"; dns.query; content:"coec.club"; nocase; pcre: "/(^|[^A-Za-z0-9-])coec\.club$/i"; classtype:trojan-activity; sid:4044091; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain coec.club"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"coec.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])coec\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044092; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain cuuo.us"; dns.query; content:"cuuo.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])cuuo\.us$/i"; classtype:trojan-activity; sid:4044101; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain cuuo.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cuuo.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cuuo\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044102; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain daskd.me"; dns.query; content:"daskd.me"; nocase; pcre: "/(^|[^A-Za-z0-9-])daskd\.me$/i"; classtype:trojan-activity; sid:4044111; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain daskd.me"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"daskd.me"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])daskd\.me[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044112; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain dbxa.pw"; dns.query; content:"dbxa.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])dbxa\.pw$/i"; classtype:trojan-activity; sid:4044121; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain dbxa.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dbxa.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dbxa\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044122; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain dlex.pw"; dns.query; content:"dlex.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])dlex\.pw$/i"; classtype:trojan-activity; sid:4044131; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain dlex.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dlex.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dlex\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044132; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain doof.pw"; dns.query; content:"doof.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])doof\.pw$/i"; classtype:trojan-activity; sid:4044141; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain doof.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"doof.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])doof\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044142; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain dtxf.pw"; dns.query; content:"dtxf.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])dtxf\.pw$/i"; classtype:trojan-activity; sid:4044151; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain dtxf.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dtxf.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dtxf\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044152; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain dvso.pw"; dns.query; content:"dvso.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])dvso\.pw$/i"; classtype:trojan-activity; sid:4044161; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain dvso.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dvso.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dvso\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044162; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain dyiud.com"; dns.query; content:"dyiud.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])dyiud\.com$/i"; classtype:trojan-activity; sid:4044171; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain dyiud.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dyiud.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dyiud\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044172; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain eady.club"; dns.query; content:"eady.club"; nocase; pcre: "/(^|[^A-Za-z0-9-])eady\.club$/i"; classtype:trojan-activity; sid:4044181; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain eady.club"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"eady.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])eady\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044182; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain enuv.club"; dns.query; content:"enuv.club"; nocase; pcre: "/(^|[^A-Za-z0-9-])enuv\.club$/i"; classtype:trojan-activity; sid:4044191; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain enuv.club"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"enuv.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])enuv\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044192; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain eter.pw"; dns.query; content:"eter.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])eter\.pw$/i"; classtype:trojan-activity; sid:4044201; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain eter.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"eter.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])eter\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044202; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain fbjz.pw"; dns.query; content:"fbjz.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])fbjz\.pw$/i"; classtype:trojan-activity; sid:4044211; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain fbjz.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fbjz.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fbjz\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044212; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain fhyi.club"; dns.query; content:"fhyi.club"; nocase; pcre: "/(^|[^A-Za-z0-9-])fhyi\.club$/i"; classtype:trojan-activity; sid:4044221; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain fhyi.club"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fhyi.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fhyi\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044222; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain futh.pw"; dns.query; content:"futh.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])futh\.pw$/i"; classtype:trojan-activity; sid:4044231; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain futh.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"futh.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])futh\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044232; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain gjcu.pw"; dns.query; content:"gjcu.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])gjcu\.pw$/i"; classtype:trojan-activity; sid:4044241; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain gjcu.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gjcu.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gjcu\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044242; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain gjuc.pw"; dns.query; content:"gjuc.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])gjuc\.pw$/i"; classtype:trojan-activity; sid:4044251; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain gjuc.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gjuc.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gjuc\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044252; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain gnoa.pw"; dns.query; content:"gnoa.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])gnoa\.pw$/i"; classtype:trojan-activity; sid:4044261; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain gnoa.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gnoa.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gnoa\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044262; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain grij.us"; dns.query; content:"grij.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])grij\.us$/i"; classtype:trojan-activity; sid:4044271; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain grij.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"grij.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])grij\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044272; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain gxhp.top"; dns.query; content:"gxhp.top"; nocase; pcre: "/(^|[^A-Za-z0-9-])gxhp\.top$/i"; classtype:trojan-activity; sid:4044281; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain gxhp.top"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gxhp.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gxhp\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044282; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain hvzr.info"; dns.query; content:"hvzr.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])hvzr\.info$/i"; classtype:trojan-activity; sid:4044291; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain hvzr.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hvzr.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hvzr\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044292; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain idjb.us"; dns.query; content:"idjb.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])idjb\.us$/i"; classtype:trojan-activity; sid:4044301; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain idjb.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"idjb.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])idjb\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044302; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain ihrs.pw"; dns.query; content:"ihrs.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])ihrs\.pw$/i"; classtype:trojan-activity; sid:4044311; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain ihrs.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ihrs.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ihrs\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044312; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain jimw.club"; dns.query; content:"jimw.club"; nocase; pcre: "/(^|[^A-Za-z0-9-])jimw\.club$/i"; classtype:trojan-activity; sid:4044321; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain jimw.club"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jimw.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jimw\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044322; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain jomp.site"; dns.query; content:"jomp.site"; nocase; pcre: "/(^|[^A-Za-z0-9-])jomp\.site$/i"; classtype:trojan-activity; sid:4044331; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain jomp.site"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jomp.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jomp\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044332; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain jxhv.site"; dns.query; content:"jxhv.site"; nocase; pcre: "/(^|[^A-Za-z0-9-])jxhv\.site$/i"; classtype:trojan-activity; sid:4044341; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain jxhv.site"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jxhv.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jxhv\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044342; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain kjke.pw"; dns.query; content:"kjke.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])kjke\.pw$/i"; classtype:trojan-activity; sid:4044351; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain kjke.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kjke.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kjke\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044352; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain kshv.site"; dns.query; content:"kshv.site"; nocase; pcre: "/(^|[^A-Za-z0-9-])kshv\.site$/i"; classtype:trojan-activity; sid:4044361; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain kshv.site"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kshv.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kshv\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044362; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain kwoe.us"; dns.query; content:"kwoe.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])kwoe\.us$/i"; classtype:trojan-activity; sid:4044371; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain kwoe.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kwoe.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kwoe\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044372; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain ldzp.pw"; dns.query; content:"ldzp.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])ldzp\.pw$/i"; classtype:trojan-activity; sid:4044381; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain ldzp.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ldzp.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ldzp\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044382; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain lhlv.club"; dns.query; content:"lhlv.club"; nocase; pcre: "/(^|[^A-Za-z0-9-])lhlv\.club$/i"; classtype:trojan-activity; sid:4044391; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain lhlv.club"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lhlv.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lhlv\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044392; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain lnoy.site"; dns.query; content:"lnoy.site"; nocase; pcre: "/(^|[^A-Za-z0-9-])lnoy\.site$/i"; classtype:trojan-activity; sid:4044401; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain lnoy.site"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lnoy.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lnoy\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044402; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain lvrm.pw"; dns.query; content:"lvrm.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])lvrm\.pw$/i"; classtype:trojan-activity; sid:4044411; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain lvrm.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lvrm.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lvrm\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044412; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain lvxf.pw"; dns.query; content:"lvxf.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])lvxf\.pw$/i"; classtype:trojan-activity; sid:4044421; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain lvxf.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lvxf.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lvxf\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044422; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain mewt.us"; dns.query; content:"mewt.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])mewt\.us$/i"; classtype:trojan-activity; sid:4044431; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain mewt.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mewt.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mewt\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044432; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain mfka.pw"; dns.query; content:"mfka.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])mfka\.pw$/i"; classtype:trojan-activity; sid:4044441; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain mfka.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mfka.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mfka\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044442; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain mjet.pw"; dns.query; content:"mjet.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])mjet\.pw$/i"; classtype:trojan-activity; sid:4044451; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain mjet.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mjet.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mjet\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044452; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain mjut.pw"; dns.query; content:"mjut.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])mjut\.pw$/i"; classtype:trojan-activity; sid:4044461; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain mjut.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mjut.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mjut\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044462; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain mvze.pw"; dns.query; content:"mvze.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])mvze\.pw$/i"; classtype:trojan-activity; sid:4044471; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain mvze.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mvze.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mvze\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044472; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain mxfg.pw"; dns.query; content:"mxfg.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])mxfg\.pw$/i"; classtype:trojan-activity; sid:4044481; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain mxfg.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mxfg.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mxfg\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044482; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain nroq.pw"; dns.query; content:"nroq.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])nroq\.pw$/i"; classtype:trojan-activity; sid:4044491; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain nroq.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nroq.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nroq\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044492; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain nwrr.pw"; dns.query; content:"nwrr.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])nwrr\.pw$/i"; classtype:trojan-activity; sid:4044501; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain nwrr.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nwrr.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nwrr\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044502; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain nxpu.site"; dns.query; content:"nxpu.site"; nocase; pcre: "/(^|[^A-Za-z0-9-])nxpu\.site$/i"; classtype:trojan-activity; sid:4044511; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain nxpu.site"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nxpu.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nxpu\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044512; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain oaax.site"; dns.query; content:"oaax.site"; nocase; pcre: "/(^|[^A-Za-z0-9-])oaax\.site$/i"; classtype:trojan-activity; sid:4044521; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain oaax.site"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"oaax.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])oaax\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044522; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain odwf.pw"; dns.query; content:"odwf.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])odwf\.pw$/i"; classtype:trojan-activity; sid:4044531; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain odwf.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"odwf.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])odwf\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044532; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain odyr.us"; dns.query; content:"odyr.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])odyr\.us$/i"; classtype:trojan-activity; sid:4044541; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain odyr.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"odyr.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])odyr\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044542; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain okiq.pw"; dns.query; content:"okiq.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])okiq\.pw$/i"; classtype:trojan-activity; sid:4044551; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain okiq.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"okiq.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])okiq\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044552; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain oknz.club"; dns.query; content:"oknz.club"; nocase; pcre: "/(^|[^A-Za-z0-9-])oknz\.club$/i"; classtype:trojan-activity; sid:4044561; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain oknz.club"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"oknz.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])oknz\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044562; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain ooep.pw"; dns.query; content:"ooep.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])ooep\.pw$/i"; classtype:trojan-activity; sid:4044571; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain ooep.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ooep.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ooep\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044572; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain ooyh.us"; dns.query; content:"ooyh.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])ooyh\.us$/i"; classtype:trojan-activity; sid:4044581; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain ooyh.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ooyh.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ooyh\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044582; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain otzd.pw"; dns.query; content:"otzd.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])otzd\.pw$/i"; classtype:trojan-activity; sid:4044591; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain otzd.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"otzd.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])otzd\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044592; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain oxrp.info"; dns.query; content:"oxrp.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])oxrp\.info$/i"; classtype:trojan-activity; sid:4044601; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain oxrp.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"oxrp.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])oxrp\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044602; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain oyaw.club"; dns.query; content:"oyaw.club"; nocase; pcre: "/(^|[^A-Za-z0-9-])oyaw\.club$/i"; classtype:trojan-activity; sid:4044611; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain oyaw.club"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"oyaw.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])oyaw\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044612; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain pafk.us"; dns.query; content:"pafk.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])pafk\.us$/i"; classtype:trojan-activity; sid:4044621; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain pafk.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pafk.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pafk\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044622; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain palj.us"; dns.query; content:"palj.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])palj\.us$/i"; classtype:trojan-activity; sid:4044631; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain palj.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"palj.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])palj\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044632; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain pbbk.us"; dns.query; content:"pbbk.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])pbbk\.us$/i"; classtype:trojan-activity; sid:4044641; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain pbbk.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pbbk.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pbbk\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044642; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain ppdx.pw"; dns.query; content:"ppdx.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])ppdx\.pw$/i"; classtype:trojan-activity; sid:4044651; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain ppdx.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ppdx.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ppdx\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044652; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain pvze.club"; dns.query; content:"pvze.club"; nocase; pcre: "/(^|[^A-Za-z0-9-])pvze\.club$/i"; classtype:trojan-activity; sid:4044661; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain pvze.club"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pvze.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pvze\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044662; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain qefg.info"; dns.query; content:"qefg.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])qefg\.info$/i"; classtype:trojan-activity; sid:4044671; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain qefg.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"qefg.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])qefg\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044672; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain qlpa.club"; dns.query; content:"qlpa.club"; nocase; pcre: "/(^|[^A-Za-z0-9-])qlpa\.club$/i"; classtype:trojan-activity; sid:4044681; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain qlpa.club"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"qlpa.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])qlpa\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044682; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain qznm.pw"; dns.query; content:"qznm.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])qznm\.pw$/i"; classtype:trojan-activity; sid:4044691; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain qznm.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"qznm.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])qznm\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044692; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain reld.info"; dns.query; content:"reld.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])reld\.info$/i"; classtype:trojan-activity; sid:4044701; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain reld.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"reld.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])reld\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044702; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain rnkj.pw"; dns.query; content:"rnkj.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])rnkj\.pw$/i"; classtype:trojan-activity; sid:4044711; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain rnkj.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"rnkj.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])rnkj\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044712; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain rzzc.pw"; dns.query; content:"rzzc.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])rzzc\.pw$/i"; classtype:trojan-activity; sid:4044721; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain rzzc.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"rzzc.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])rzzc\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044722; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain sgvt.pw"; dns.query; content:"sgvt.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])sgvt\.pw$/i"; classtype:trojan-activity; sid:4044731; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain sgvt.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sgvt.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sgvt\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044732; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain soru.pw"; dns.query; content:"soru.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])soru\.pw$/i"; classtype:trojan-activity; sid:4044741; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain soru.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"soru.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])soru\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044742; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain swio.pw"; dns.query; content:"swio.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])swio\.pw$/i"; classtype:trojan-activity; sid:4044751; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain swio.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"swio.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])swio\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044752; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain tijm.pw"; dns.query; content:"tijm.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])tijm\.pw$/i"; classtype:trojan-activity; sid:4044761; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain tijm.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tijm.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tijm\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044762; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain tsrs.pw"; dns.query; content:"tsrs.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])tsrs\.pw$/i"; classtype:trojan-activity; sid:4044771; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain tsrs.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tsrs.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tsrs\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044772; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain turp.pw"; dns.query; content:"turp.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])turp\.pw$/i"; classtype:trojan-activity; sid:4044781; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain turp.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"turp.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])turp\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044782; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain ueox.club"; dns.query; content:"ueox.club"; nocase; pcre: "/(^|[^A-Za-z0-9-])ueox\.club$/i"; classtype:trojan-activity; sid:4044791; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain ueox.club"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ueox.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ueox\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044792; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain ufyb.club"; dns.query; content:"ufyb.club"; nocase; pcre: "/(^|[^A-Za-z0-9-])ufyb\.club$/i"; classtype:trojan-activity; sid:4044801; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain ufyb.club"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ufyb.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ufyb\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044802; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain utca.site"; dns.query; content:"utca.site"; nocase; pcre: "/(^|[^A-Za-z0-9-])utca\.site$/i"; classtype:trojan-activity; sid:4044811; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain utca.site"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"utca.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])utca\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044812; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain vdfe.site"; dns.query; content:"vdfe.site"; nocase; pcre: "/(^|[^A-Za-z0-9-])vdfe\.site$/i"; classtype:trojan-activity; sid:4044821; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain vdfe.site"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vdfe.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vdfe\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044822; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain vjro.club"; dns.query; content:"vjro.club"; nocase; pcre: "/(^|[^A-Za-z0-9-])vjro\.club$/i"; classtype:trojan-activity; sid:4044831; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain vjro.club"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vjro.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vjro\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044832; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain vkpo.us"; dns.query; content:"vkpo.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])vkpo\.us$/i"; classtype:trojan-activity; sid:4044841; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain vkpo.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vkpo.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vkpo\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044842; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain vpua.pw"; dns.query; content:"vpua.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])vpua\.pw$/i"; classtype:trojan-activity; sid:4044851; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain vpua.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vpua.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vpua\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044852; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain vqba.info"; dns.query; content:"vqba.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])vqba\.info$/i"; classtype:trojan-activity; sid:4044861; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain vqba.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vqba.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vqba\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044862; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain vwcq.us"; dns.query; content:"vwcq.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])vwcq\.us$/i"; classtype:trojan-activity; sid:4044871; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain vwcq.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vwcq.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vwcq\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044872; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain vxqt.us"; dns.query; content:"vxqt.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])vxqt\.us$/i"; classtype:trojan-activity; sid:4044881; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain vxqt.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vxqt.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vxqt\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044882; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain vxwy.pw"; dns.query; content:"vxwy.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])vxwy\.pw$/i"; classtype:trojan-activity; sid:4044891; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain vxwy.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vxwy.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vxwy\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044892; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain wfsv.us"; dns.query; content:"wfsv.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])wfsv\.us$/i"; classtype:trojan-activity; sid:4044901; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain wfsv.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wfsv.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wfsv\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044902; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain wqiy.info"; dns.query; content:"wqiy.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])wqiy\.info$/i"; classtype:trojan-activity; sid:4044911; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain wqiy.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wqiy.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wqiy\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044912; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain wvzu.pw"; dns.query; content:"wvzu.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])wvzu\.pw$/i"; classtype:trojan-activity; sid:4044921; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain wvzu.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wvzu.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wvzu\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044922; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain xhqd.pw"; dns.query; content:"xhqd.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])xhqd\.pw$/i"; classtype:trojan-activity; sid:4044931; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain xhqd.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"xhqd.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])xhqd\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044932; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain yamd.pw"; dns.query; content:"yamd.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])yamd\.pw$/i"; classtype:trojan-activity; sid:4044941; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain yamd.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"yamd.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])yamd\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044942; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain yedq.pw"; dns.query; content:"yedq.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])yedq\.pw$/i"; classtype:trojan-activity; sid:4044951; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain yedq.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"yedq.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])yedq\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044952; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain yqox.pw"; dns.query; content:"yqox.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])yqox\.pw$/i"; classtype:trojan-activity; sid:4044961; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain yqox.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"yqox.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])yqox\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044962; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain ysxy.pw"; dns.query; content:"ysxy.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])ysxy\.pw$/i"; classtype:trojan-activity; sid:4044971; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain ysxy.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ysxy.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ysxy\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044972; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain zcnt.pw"; dns.query; content:"zcnt.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])zcnt\.pw$/i"; classtype:trojan-activity; sid:4044981; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain zcnt.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"zcnt.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])zcnt\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044982; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain zdqp.pw"; dns.query; content:"zdqp.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])zdqp\.pw$/i"; classtype:trojan-activity; sid:4044991; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain zdqp.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"zdqp.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])zdqp\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4044992; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain zjav.us"; dns.query; content:"zjav.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])zjav\.us$/i"; classtype:trojan-activity; sid:4045001; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain zjav.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"zjav.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])zjav\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4045002; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain zjvz.pw"; dns.query; content:"zjvz.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])zjvz\.pw$/i"; classtype:trojan-activity; sid:4045011; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain zjvz.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"zjvz.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])zjvz\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4045012; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain zmyo.club"; dns.query; content:"zmyo.club"; nocase; pcre: "/(^|[^A-Za-z0-9-])zmyo\.club$/i"; classtype:trojan-activity; sid:4045021; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain zmyo.club"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"zmyo.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])zmyo\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4045022; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain zody.pw"; dns.query; content:"zody.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])zody\.pw$/i"; classtype:trojan-activity; sid:4045031; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain zody.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"zody.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])zody\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4045032; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain zugh.us"; dns.query; content:"zugh.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])zugh\.us$/i"; classtype:trojan-activity; sid:4045041; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain zugh.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"zugh.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])zugh\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4045042; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert dns any any -> any any (msg: "MISP e93 [tlp:white] Domain cspg.pw"; dns.query; content:"cspg.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-])cspg\.pw$/i"; classtype:trojan-activity; sid:4045051; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e93 [tlp:white] Outgoing HTTP Domain cspg.pw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cspg.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cspg\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4045052; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/93;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e94 [tlp:white] Outgoing URL https|3a|//kaspersky.dattodrive.com/index.php/s/lhodbNAIcoNF6yb/download"; tls.sni; content:"kaspersky.dattodrive.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4045171; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/94;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e94 [tlp:white] Outgoing URL http|3a|//87i03clk4zcw06uy1cv5.nl/mass/hospital/spam/payload/WINWORD.exe"; flow:to_server,established; http.header; content:"87i03clk4zcw06uy1cv5.nl"; fast_pattern; nocase; http.uri; content:"/mass/hospital/spam/payload/WINWORD.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4045181; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/94;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e94 [tlp:white] Outgoing URL http|3a|//87i03clk4zcw06uy1cv5.nl/mass/hospital/spam/index.php"; flow:to_server,established; http.header; content:"87i03clk4zcw06uy1cv5.nl"; fast_pattern; nocase; http.uri; content:"/mass/hospital/spam/index.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4045191; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/94;) alert dns any any -> any any (msg: "MISP e95 [tlp:white] Hostname car-service.effers.com"; dns.query; content:"car-service.effers.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])car\-service\.effers\.com$/i"; classtype:trojan-activity; sid:4045361; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/95;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e95 [tlp:white] Outgoing HTTP Hostname car-service.effers.com"; flow:to_server,established; http.header; content: "Host|3a| car-service.effers.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])car\-service\.effers\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4045362; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/95;) alert ip $HOME_NET any -> 83.229.87.11 any (msg: "MISP e95 [tlp:white] Outgoing To IP: 83.229.87.11"; classtype:trojan-activity; sid:4045371; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/95;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e96 [tlp:white] Outgoing URL til.co.za/dfv45"; flow:to_server,established; http.uri; content:"til.co.za/dfv45"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4045391; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/96;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e96 [tlp:white] Outgoing URL awarepictures.com/dfv45"; flow:to_server,established; http.uri; content:"awarepictures.com/dfv45"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4045401; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/96;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e96 [tlp:white] Outgoing URL ursanne.com/dfv45"; flow:to_server,established; http.uri; content:"ursanne.com/dfv45"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4045411; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/96;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e96 [tlp:white] Outgoing URL sokpinter.com/dfv45"; flow:to_server,established; http.uri; content:"sokpinter.com/dfv45"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4045421; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/96;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e96 [tlp:white] Outgoing URL wenable.com/dfv45"; flow:to_server,established; http.uri; content:"wenable.com/dfv45"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4045431; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/96;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e96 [tlp:white] Outgoing URL martijnfeller.nl/dfv45"; flow:to_server,established; http.uri; content:"martijnfeller.nl/dfv45"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4045441; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/96;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e96 [tlp:white] Outgoing URL dont.pl/9yg65"; flow:to_server,established; http.uri; content:"dont.pl/9yg65"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4045451; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/96;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e96 [tlp:white] Outgoing URL bhmech.com/9yg65"; flow:to_server,established; http.uri; content:"bhmech.com/9yg65"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4045461; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/96;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e96 [tlp:white] Outgoing URL sherwoodbusiness.com/9yg65"; flow:to_server,established; http.uri; content:"sherwoodbusiness.com/9yg65"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4045471; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/96;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e96 [tlp:white] Outgoing URL uwdesign.com.br/9yg65"; flow:to_server,established; http.uri; content:"uwdesign.com.br/9yg65"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4045481; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/96;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e96 [tlp:white] Outgoing URL mentoryourmind.org/kjv783r"; flow:to_server,established; http.uri; content:"mentoryourmind.org/kjv783r"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4045491; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/96;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e96 [tlp:white] Outgoing URL lawrenceres.com/kjv783r"; flow:to_server,established; http.uri; content:"lawrenceres.com/kjv783r"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4045501; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/96;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e96 [tlp:white] Outgoing URL cloud9ss.com/kjv783r"; flow:to_server,established; http.uri; content:"cloud9ss.com/kjv783r"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4045511; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/96;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e96 [tlp:white] Outgoing URL mentalmysteries.com/kjv783r"; flow:to_server,established; http.uri; content:"mentalmysteries.com/kjv783r"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4045521; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/96;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e96 [tlp:white] Outgoing URL medjobsmatch.com/kjv783r"; flow:to_server,established; http.uri; content:"medjobsmatch.com/kjv783r"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4045531; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/96;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e96 [tlp:white] Outgoing URL i-call.it/kjv783r"; flow:to_server,established; http.uri; content:"i-call.it/kjv783r"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4045541; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/96;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e96 [tlp:white] Outgoing URL super-marv.com/874hv"; flow:to_server,established; http.uri; content:"super-marv.com/874hv"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4045551; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/96;) alert ip $HOME_NET any -> 216.177.132.93 any (msg: "MISP e96 [tlp:white] Outgoing To IP: 216.177.132.93"; classtype:trojan-activity; sid:4045561; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/96;) alert ip $HOME_NET any -> 152.66.249.132 any (msg: "MISP e96 [tlp:white] Outgoing To IP: 152.66.249.132"; classtype:trojan-activity; sid:4045571; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/96;) alert ip $HOME_NET any -> 85.214.113.207 any (msg: "MISP e96 [tlp:white] Outgoing To IP: 85.214.113.207"; classtype:trojan-activity; sid:4045581; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/96;) alert ip $HOME_NET any -> 192.184.84.119 any (msg: "MISP e96 [tlp:white] Outgoing To IP: 192.184.84.119"; classtype:trojan-activity; sid:4045591; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/96;) alert ip $HOME_NET any -> 199.36.194.27 any (msg: "MISP e96 [tlp:white] Outgoing To IP: 199.36.194.27"; classtype:trojan-activity; sid:4045601; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/96;) alert ip $HOME_NET any -> 104.131.182.74 any (msg: "MISP e96 [tlp:white] Outgoing To IP: 104.131.182.74"; classtype:trojan-activity; sid:4045611; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/96;) alert ip $HOME_NET any -> 199.233.245.109 any (msg: "MISP e96 [tlp:white] Outgoing To IP: 199.233.245.109"; classtype:trojan-activity; sid:4045621; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/96;) alert ip $HOME_NET any -> 74.220.207.120 any (msg: "MISP e96 [tlp:white] Outgoing To IP: 74.220.207.120"; classtype:trojan-activity; sid:4045631; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/96;) alert dns any any -> any any (msg: "MISP e97 [tlp:white] Hostname aaa.stage.14919005.www1.proslr3.com"; dns.query; content:"aaa.stage.14919005.www1.proslr3.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])aaa\.stage\.14919005\.www1\.proslr3\.com$/i"; classtype:trojan-activity; sid:4045681; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/97;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e97 [tlp:white] Outgoing HTTP Hostname aaa.stage.14919005.www1.proslr3.com"; flow:to_server,established; http.header; content: "Host|3a| aaa.stage.14919005.www1.proslr3.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])aaa\.stage\.14919005\.www1\.proslr3\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4045682; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/97;) alert http $HOME_NET any -> 198.100.119.6 80 (msg: "MISP e97 [tlp:white] Outgoing URL http|3a|//198.100.119.6|3a|80/cd"; flow:to_server,established; http.header; content:"198.100.119.6"; fast_pattern; nocase; http.uri; content:"/cd"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4045761; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/97;) alert http $HOME_NET any -> 198.100.119.6 443 (msg: "MISP e97 [tlp:white] Outgoing URL http|3a|//198.100.119.6|3a|443/cd"; flow:to_server,established; http.header; content:"198.100.119.6"; fast_pattern; nocase; http.uri; content:"/cd"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4045771; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/97;) alert http $HOME_NET any -> 198.100.119.6 8080 (msg: "MISP e97 [tlp:white] Outgoing URL http|3a|//198.100.119.6|3a|8080/cd"; flow:to_server,established; http.header; content:"198.100.119.6"; fast_pattern; nocase; http.uri; content:"/cd"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4045781; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/97;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e98 [tlp:white] Outgoing URL http|3a|//gaismustudija.lv/wp-includes/pomo/kontakti.php"; flow:to_server,established; http.header; content:"gaismustudija.lv"; fast_pattern; nocase; http.uri; content:"/wp-includes/pomo/kontakti.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4045841; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/98;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e98 [tlp:white] Outgoing URL http|3a|//hcdh-tunisie.org/wp-includes/SimplePie/gzencode.php"; flow:to_server,established; http.header; content:"hcdh-tunisie.org"; fast_pattern; nocase; http.uri; content:"/wp-includes/SimplePie/gzencode.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4045851; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/98;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e98 [tlp:white] Outgoing URL http|3a|//www.gallen.fi/wp-content/gallery/"; flow:to_server,established; http.header; content:"www.gallen.fi"; fast_pattern; nocase; http.uri; content:"/wp-content/gallery/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4045861; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/98;) alert ip $HOME_NET any -> 185.31.160.55 any (msg: "MISP e99 [tlp:white] Outgoing To IP: 185.31.160.55"; classtype:trojan-activity; sid:4045881; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/99;) alert ip $HOME_NET any -> 185.154.52.233 any (msg: "MISP e99 [tlp:white] Outgoing To IP: 185.154.52.233"; classtype:trojan-activity; sid:4045891; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/99;) alert ip $HOME_NET any -> 95.215.108.213 any (msg: "MISP e99 [tlp:white] Outgoing To IP: 95.215.108.213"; classtype:trojan-activity; sid:4045901; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/99;) alert ip $HOME_NET any -> 182.18.23.38 any (msg: "MISP e100 [tlp:white] Outgoing To IP: 182.18.23.38"; classtype:trojan-activity; sid:4045961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/100;) alert http $HOME_NET any -> $EXTERNAL_NET 8888 (msg: "MISP e100 [tlp:white] Outgoing URL http|3a|//down.mysking.info|3a|8888/ok.txt"; flow:to_server,established; http.header; content:"down.mysking.info"; fast_pattern; nocase; http.uri; content:"/ok.txt"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4045991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/100;) alert http $HOME_NET any -> 23.27.127.254 8888 (msg: "MISP e100 [tlp:white] Outgoing URL http|3a|//23.27.127.254|3a|8888/close.bat"; flow:to_server,established; http.header; content:"23.27.127.254"; fast_pattern; nocase; http.uri; content:"/close.bat"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4046001; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/100;) alert http $HOME_NET any -> $EXTERNAL_NET 280 (msg: "MISP e100 [tlp:white] Outgoing URL http|3a|//js.mykings.top|3a|280/v.sct"; flow:to_server,established; http.header; content:"js.mykings.top"; fast_pattern; nocase; http.uri; content:"/v.sct"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4046011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/100;) alert http $HOME_NET any -> $EXTERNAL_NET 280 (msg: "MISP e100 [tlp:white] Outgoing URL http|3a|//js.mykings.top|3a|280/helloworld.msi"; flow:to_server,established; http.header; content:"js.mykings.top"; fast_pattern; nocase; http.uri; content:"/helloworld.msi"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4046031; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/100;) alert http $HOME_NET any -> $EXTERNAL_NET 8888 (msg: "MISP e100 [tlp:white] Outgoing URL http|3a|//wmi.mykings.top|3a|8888/kill.html"; flow:to_server,established; http.header; content:"wmi.mykings.top"; fast_pattern; nocase; http.uri; content:"/kill.html"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4046041; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/100;) alert http $HOME_NET any -> 67.229.144.218 8888 (msg: "MISP e100 [tlp:white] Outgoing URL http|3a|//67.229.144.218|3a|8888/test1.dat"; flow:to_server,established; http.header; content:"67.229.144.218"; fast_pattern; nocase; http.uri; content:"/test1.dat"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4046061; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/100;) alert http $HOME_NET any -> 47.88.216.68 8888 (msg: "MISP e100 [tlp:white] Outgoing URL http|3a|//47.88.216.68|3a|8888/test.dat"; flow:to_server,established; http.header; content:"47.88.216.68"; fast_pattern; nocase; http.uri; content:"/test.dat"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4046071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/100;) alert http $HOME_NET any -> 47.52.0.176 8888 (msg: "MISP e100 [tlp:white] Outgoing URL http|3a|//47.52.0.176|3a|8888/item.dat"; flow:to_server,established; http.header; content:"47.52.0.176"; fast_pattern; nocase; http.uri; content:"/item.dat"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4046081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/100;) alert http $HOME_NET any -> 118.190.50.141 8888 (msg: "MISP e100 [tlp:white] Outgoing URL http|3a|//118.190.50.141|3a|8888/test.dat"; flow:to_server,established; http.header; content:"118.190.50.141"; fast_pattern; nocase; http.uri; content:"/test.dat"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4046091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/100;) alert dns any any -> any any (msg: "MISP e100 [tlp:white] Hostname js.mykings.top"; dns.query; content:"js.mykings.top"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])js\.mykings\.top$/i"; classtype:trojan-activity; sid:4046221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/100;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e100 [tlp:white] Outgoing HTTP Hostname js.mykings.top"; flow:to_server,established; http.header; content: "Host|3a| js.mykings.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])js\.mykings\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4046222; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/100;) alert dns any any -> any any (msg: "MISP e100 [tlp:white] Hostname down.mysking.info"; dns.query; content:"down.mysking.info"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])down\.mysking\.info$/i"; classtype:trojan-activity; sid:4046231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/100;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e100 [tlp:white] Outgoing HTTP Hostname down.mysking.info"; flow:to_server,established; http.header; content: "Host|3a| down.mysking.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])down\.mysking\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4046232; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/100;) alert dns any any -> any any (msg: "MISP e100 [tlp:white] Hostname wmi.mykings.top"; dns.query; content:"wmi.mykings.top"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])wmi\.mykings\.top$/i"; classtype:trojan-activity; sid:4046241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/100;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e100 [tlp:white] Outgoing HTTP Hostname wmi.mykings.top"; flow:to_server,established; http.header; content: "Host|3a| wmi.mykings.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])wmi\.mykings\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4046242; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/100;) alert ip $HOME_NET any -> 23.27.127.254 any (msg: "MISP e100 [tlp:white] Outgoing To IP: 23.27.127.254"; classtype:trojan-activity; sid:4046251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/100;) alert ip $HOME_NET any -> 118.190.50.141 any (msg: "MISP e100 [tlp:white] Outgoing To IP: 118.190.50.141"; classtype:trojan-activity; sid:4046261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/100;) alert ip $HOME_NET any -> 47.52.0.176 any (msg: "MISP e100 [tlp:white] Outgoing To IP: 47.52.0.176"; classtype:trojan-activity; sid:4046271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/100;) alert ip $HOME_NET any -> 47.88.216.68 any (msg: "MISP e100 [tlp:white] Outgoing To IP: 47.88.216.68"; classtype:trojan-activity; sid:4046281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/100;) alert ip $HOME_NET any -> 67.229.144.218 any (msg: "MISP e100 [tlp:white] Outgoing To IP: 67.229.144.218"; classtype:trojan-activity; sid:4046291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/100;) alert dns any any -> any any (msg: "MISP e100 [tlp:white] Hostname scdc.worra.com"; dns.query; content:"scdc.worra.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])scdc\.worra\.com$/i"; classtype:trojan-activity; sid:4046301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/100;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e100 [tlp:white] Outgoing HTTP Hostname scdc.worra.com"; flow:to_server,established; http.header; content: "Host|3a| scdc.worra.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])scdc\.worra\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4046302; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/100;) alert ip $HOME_NET any -> 87.101.243.252 any (msg: "MISP e101 [tlp:white] Outgoing To IP: 87.101.243.252"; classtype:trojan-activity; sid:4046321; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/101;) alert ip $HOME_NET any -> 84.92.36.96 any (msg: "MISP e101 [tlp:white] Outgoing To IP: 84.92.36.96"; classtype:trojan-activity; sid:4046331; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/101;) alert ip $HOME_NET any -> 184.74.243.67 any (msg: "MISP e101 [tlp:white] Outgoing To IP: 184.74.243.67"; classtype:trojan-activity; sid:4046341; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/101;) alert ip $HOME_NET any -> 203.69.210.247 any (msg: "MISP e101 [tlp:white] Outgoing To IP: 203.69.210.247"; classtype:trojan-activity; sid:4046351; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/101;) alert ip $HOME_NET any -> 196.45.177.52 any (msg: "MISP e101 [tlp:white] Outgoing To IP: 196.45.177.52"; classtype:trojan-activity; sid:4046361; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/101;) alert ip $HOME_NET any -> 77.72.84.11 any (msg: "MISP e102 [tlp:white] Outgoing To IP: 77.72.84.11"; classtype:trojan-activity; sid:4046701; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/102;) alert ip $HOME_NET any -> 117.21.191.69 any (msg: "MISP e102 [tlp:white] Outgoing To IP: 117.21.191.69"; classtype:trojan-activity; sid:4046711; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/102;) alert ip $HOME_NET any -> 78.37.191.149 any (msg: "MISP e103 [tlp:white] Outgoing To IP: 78.37.191.149"; classtype:trojan-activity; sid:4046731; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/103;) alert dns any any -> any any (msg: "MISP e103 [tlp:white] Hostname pppoe.avangarddsl.ru"; dns.query; content:"pppoe.avangarddsl.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])pppoe\.avangarddsl\.ru$/i"; classtype:trojan-activity; sid:4046741; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/103;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e103 [tlp:white] Outgoing HTTP Hostname pppoe.avangarddsl.ru"; flow:to_server,established; http.header; content: "Host|3a| pppoe.avangarddsl.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])pppoe\.avangarddsl\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4046742; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/103;) alert ip $HOME_NET any -> 178.70.232.38 any (msg: "MISP e103 [tlp:white] Outgoing To IP: 178.70.232.38"; classtype:trojan-activity; sid:4046751; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/103;) alert dns any any -> any any (msg: "MISP e103 [tlp:white] Domain avangarddsl.ru"; dns.query; content:"avangarddsl.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])avangarddsl\.ru$/i"; classtype:trojan-activity; sid:4046761; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/103;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e103 [tlp:white] Outgoing HTTP Domain avangarddsl.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"avangarddsl.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])avangarddsl\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4046762; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/103;) alert ip $HOME_NET any -> 178.70.225.165 any (msg: "MISP e103 [tlp:white] Outgoing To IP: 178.70.225.165"; classtype:trojan-activity; sid:4046771; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/103;) alert ip $HOME_NET any -> 178.70.149.30 any (msg: "MISP e103 [tlp:white] Outgoing To IP: 178.70.149.30"; classtype:trojan-activity; sid:4046781; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/103;) alert ip $HOME_NET any -> 23.111.188.254 any (msg: "MISP e103 [tlp:white] Outgoing To IP: 23.111.188.254"; classtype:trojan-activity; sid:4046791; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/103;) alert dns any any -> any any (msg: "MISP e103 [tlp:white] Domain hvvc.us"; dns.query; content:"hvvc.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])hvvc\.us$/i"; classtype:trojan-activity; sid:4046801; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/103;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e103 [tlp:white] Outgoing HTTP Domain hvvc.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hvvc.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hvvc\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4046802; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/103;) alert ip $HOME_NET any -> 45.114.116.192 any (msg: "MISP e103 [tlp:white] Outgoing To IP: 45.114.116.192"; classtype:trojan-activity; sid:4046811; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/103;) alert dns any any -> any any (msg: "MISP e103 [tlp:white] Domain brilliantangle.com"; dns.query; content:"brilliantangle.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])brilliantangle\.com$/i"; classtype:trojan-activity; sid:4046821; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/103;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e103 [tlp:white] Outgoing HTTP Domain brilliantangle.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"brilliantangle.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])brilliantangle\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4046822; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/103;) alert ip $HOME_NET any -> 103.198.130.148 any (msg: "MISP e104 [tlp:white] Outgoing To IP: 103.198.130.148"; classtype:trojan-activity; sid:4047341; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/104;) alert ip $HOME_NET any -> 103.58.144.249 any (msg: "MISP e104 [tlp:white] Outgoing To IP: 103.58.144.249"; classtype:trojan-activity; sid:4047351; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/104;) alert ip $HOME_NET any -> 115.186.139.104 any (msg: "MISP e104 [tlp:white] Outgoing To IP: 115.186.139.104"; classtype:trojan-activity; sid:4047361; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/104;) alert ip $HOME_NET any -> 138.186.22.2 any (msg: "MISP e104 [tlp:white] Outgoing To IP: 138.186.22.2"; classtype:trojan-activity; sid:4047371; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/104;) alert ip $HOME_NET any -> 168.194.80.70 any (msg: "MISP e104 [tlp:white] Outgoing To IP: 168.194.80.70"; classtype:trojan-activity; sid:4047381; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/104;) alert ip $HOME_NET any -> 176.121.213.31 any (msg: "MISP e104 [tlp:white] Outgoing To IP: 176.121.213.31"; classtype:trojan-activity; sid:4047391; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/104;) alert ip $HOME_NET any -> 177.104.69.130 any (msg: "MISP e104 [tlp:white] Outgoing To IP: 177.104.69.130"; classtype:trojan-activity; sid:4047401; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/104;) alert ip $HOME_NET any -> 177.231.253.158 any (msg: "MISP e104 [tlp:white] Outgoing To IP: 177.231.253.158"; classtype:trojan-activity; sid:4047411; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/104;) alert ip $HOME_NET any -> 177.87.233.4 any (msg: "MISP e104 [tlp:white] Outgoing To IP: 177.87.233.4"; classtype:trojan-activity; sid:4047421; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/104;) alert ip $HOME_NET any -> 184.160.113.13 any (msg: "MISP e104 [tlp:white] Outgoing To IP: 184.160.113.13"; classtype:trojan-activity; sid:4047431; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/104;) alert ip $HOME_NET any -> 185.158.175.95 any (msg: "MISP e104 [tlp:white] Outgoing To IP: 185.158.175.95"; classtype:trojan-activity; sid:4047441; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/104;) alert ip $HOME_NET any -> 185.27.219.173 any (msg: "MISP e104 [tlp:white] Outgoing To IP: 185.27.219.173"; classtype:trojan-activity; sid:4047451; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/104;) alert ip $HOME_NET any -> 185.47.136.111 any (msg: "MISP e104 [tlp:white] Outgoing To IP: 185.47.136.111"; classtype:trojan-activity; sid:4047461; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/104;) alert ip $HOME_NET any -> 185.8.0.182 any (msg: "MISP e104 [tlp:white] Outgoing To IP: 185.8.0.182"; classtype:trojan-activity; sid:4047471; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/104;) alert ip $HOME_NET any -> 186.208.102.185 any (msg: "MISP e104 [tlp:white] Outgoing To IP: 186.208.102.185"; classtype:trojan-activity; sid:4047481; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/104;) alert ip $HOME_NET any -> 186.208.106.234 any (msg: "MISP e104 [tlp:white] Outgoing To IP: 186.208.106.234"; classtype:trojan-activity; sid:4047491; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/104;) alert ip $HOME_NET any -> 186.208.111.188 any (msg: "MISP e104 [tlp:white] Outgoing To IP: 186.208.111.188"; classtype:trojan-activity; sid:4047501; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/104;) alert ip $HOME_NET any -> 188.255.156.67 any (msg: "MISP e104 [tlp:white] Outgoing To IP: 188.255.156.67"; classtype:trojan-activity; sid:4047511; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/104;) alert ip $HOME_NET any -> 188.255.249.27 any (msg: "MISP e104 [tlp:white] Outgoing To IP: 188.255.249.27"; classtype:trojan-activity; sid:4047521; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/104;) alert ip $HOME_NET any -> 190.2.235.246 any (msg: "MISP e104 [tlp:white] Outgoing To IP: 190.2.235.246"; classtype:trojan-activity; sid:4047531; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/104;) alert ip $HOME_NET any -> 196.11.84.62 any (msg: "MISP e104 [tlp:white] Outgoing To IP: 196.11.84.62"; classtype:trojan-activity; sid:4047541; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/104;) alert ip $HOME_NET any -> 200.116.206.58 any (msg: "MISP e104 [tlp:white] Outgoing To IP: 200.116.206.58"; classtype:trojan-activity; sid:4047551; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/104;) alert ip $HOME_NET any -> 217.31.110.43 any (msg: "MISP e104 [tlp:white] Outgoing To IP: 217.31.110.43"; classtype:trojan-activity; sid:4047561; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/104;) alert ip $HOME_NET any -> 36.66.107.162 any (msg: "MISP e104 [tlp:white] Outgoing To IP: 36.66.107.162"; classtype:trojan-activity; sid:4047571; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/104;) alert ip $HOME_NET any -> 37.61.239.216 any (msg: "MISP e104 [tlp:white] Outgoing To IP: 37.61.239.216"; classtype:trojan-activity; sid:4047581; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/104;) alert ip $HOME_NET any -> 49.156.45.139 any (msg: "MISP e104 [tlp:white] Outgoing To IP: 49.156.45.139"; classtype:trojan-activity; sid:4047591; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/104;) alert ip $HOME_NET any -> 5.172.33.237 any (msg: "MISP e104 [tlp:white] Outgoing To IP: 5.172.33.237"; classtype:trojan-activity; sid:4047601; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/104;) alert ip $HOME_NET any -> 5.172.34.138 any (msg: "MISP e104 [tlp:white] Outgoing To IP: 5.172.34.138"; classtype:trojan-activity; sid:4047611; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/104;) alert ip $HOME_NET any -> 82.146.94.150 any (msg: "MISP e104 [tlp:white] Outgoing To IP: 82.146.94.150"; classtype:trojan-activity; sid:4047621; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/104;) alert ip $HOME_NET any -> 82.146.94.86 any (msg: "MISP e104 [tlp:white] Outgoing To IP: 82.146.94.86"; classtype:trojan-activity; sid:4047631; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/104;) alert ip $HOME_NET any -> 84.42.159.138 any (msg: "MISP e104 [tlp:white] Outgoing To IP: 84.42.159.138"; classtype:trojan-activity; sid:4047641; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/104;) alert ip $HOME_NET any -> 95.104.2.225 any (msg: "MISP e104 [tlp:white] Outgoing To IP: 95.104.2.225"; classtype:trojan-activity; sid:4047651; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/104;) alert ip $HOME_NET any -> 96.9.69.131 any (msg: "MISP e104 [tlp:white] Outgoing To IP: 96.9.69.131"; classtype:trojan-activity; sid:4047661; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/104;) alert ip $HOME_NET any -> 158.255.2.138 any (msg: "MISP e106 [tlp:white] Outgoing To IP: 158.255.2.138"; classtype:trojan-activity; sid:4047861; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/106;) alert ip $HOME_NET any -> 185.162.8.190 any (msg: "MISP e106 [tlp:white] Outgoing To IP: 185.162.8.190"; classtype:trojan-activity; sid:4047871; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/106;) alert ip $HOME_NET any -> 185.169.229.168 any (msg: "MISP e106 [tlp:white] Outgoing To IP: 185.169.229.168"; classtype:trojan-activity; sid:4047881; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/106;) alert dns any any -> any any (msg: "MISP e107 [tlp:white] Domain itaiwans.com"; dns.query; content:"itaiwans.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])itaiwans\.com$/i"; classtype:trojan-activity; sid:4047951; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/107;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e107 [tlp:white] Outgoing HTTP Domain itaiwans.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"itaiwans.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])itaiwans\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4047952; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/107;) alert dns any any -> any any (msg: "MISP e107 [tlp:white] Domain microsoftmse.com"; dns.query; content:"microsoftmse.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])microsoftmse\.com$/i"; classtype:trojan-activity; sid:4047961; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/107;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e107 [tlp:white] Outgoing HTTP Domain microsoftmse.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"microsoftmse.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])microsoftmse\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4047962; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/107;) alert ip $HOME_NET any -> 211.72.242.120 any (msg: "MISP e107 [tlp:white] Outgoing To IP: 211.72.242.120"; classtype:trojan-activity; sid:4047971; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/107;) alert dns any any -> any any (msg: "MISP e108 [tlp:white] Hostname member-daumchk.netai.net"; dns.query; content:"member-daumchk.netai.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])member\-daumchk\.netai\.net$/i"; classtype:trojan-activity; sid:4048031; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/108;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e108 [tlp:white] Outgoing HTTP Hostname member-daumchk.netai.net"; flow:to_server,established; http.header; content: "Host|3a| member-daumchk.netai.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])member\-daumchk\.netai\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4048032; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/108;) alert dns any any -> any any (msg: "MISP e109 [tlp:white] Hostname updatesec.webredirect.org"; dns.query; content:"updatesec.webredirect.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])updatesec\.webredirect\.org$/i"; classtype:trojan-activity; sid:4048091; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/109;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e109 [tlp:white] Outgoing HTTP Hostname updatesec.webredirect.org"; flow:to_server,established; http.header; content: "Host|3a| updatesec.webredirect.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])updatesec\.webredirect\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4048092; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/109;) alert ip $HOME_NET any -> 45.77.53.146 any (msg: "MISP e109 [tlp:white] Outgoing To IP: 45.77.53.146"; classtype:trojan-activity; sid:4048101; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/109;) alert dns any any -> any any (msg: "MISP e109 [tlp:white] Hostname downloadarchives.servehttp.com"; dns.query; content:"downloadarchives.servehttp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])downloadarchives\.servehttp\.com$/i"; classtype:trojan-activity; sid:4048111; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/109;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e109 [tlp:white] Outgoing HTTP Hostname downloadarchives.servehttp.com"; flow:to_server,established; http.header; content: "Host|3a| downloadarchives.servehttp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])downloadarchives\.servehttp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4048112; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/109;) alert ip $HOME_NET any -> 213.200.14.138 any (msg: "MISP e109 [tlp:white] Outgoing To IP: 213.200.14.138"; classtype:trojan-activity; sid:4048121; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/109;) alert ip $HOME_NET any -> 176.9.192.22 any (msg: "MISP e109 [tlp:white] Outgoing To IP: 176.9.192.22"; classtype:trojan-activity; sid:4048131; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/109;) alert dns any any -> any any (msg: "MISP e110 [tlp:white] Domain moreoffer.life"; dns.query; content:"moreoffer.life"; nocase; pcre: "/(^|[^A-Za-z0-9-])moreoffer\.life$/i"; classtype:trojan-activity; sid:4048141; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/110;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e110 [tlp:white] Outgoing HTTP Domain moreoffer.life"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"moreoffer.life"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])moreoffer\.life[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4048142; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/110;) alert dns any any -> any any (msg: "MISP e110 [tlp:white] Domain signup.updatesforme.club"; dns.query; content:"signup.updatesforme.club"; nocase; pcre: "/(^|[^A-Za-z0-9-])signup\.updatesforme\.club$/i"; classtype:trojan-activity; sid:4048151; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/110;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e110 [tlp:white] Outgoing HTTP Domain signup.updatesforme.club"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"signup.updatesforme.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])signup\.updatesforme\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4048152; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/110;) alert dns any any -> any any (msg: "MISP e110 [tlp:white] Domain ping.topsite.life"; dns.query; content:"ping.topsite.life"; nocase; pcre: "/(^|[^A-Za-z0-9-])ping\.topsite\.life$/i"; classtype:trojan-activity; sid:4048161; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/110;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e110 [tlp:white] Outgoing HTTP Domain ping.topsite.life"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ping.topsite.life"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ping\.topsite\.life[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4048162; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/110;) alert dns any any -> any any (msg: "MISP e110 [tlp:white] Domain alasra-paper.duckdns.org"; dns.query; content:"alasra-paper.duckdns.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])alasra\-paper\.duckdns\.org$/i"; classtype:trojan-activity; sid:4048171; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/110;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e110 [tlp:white] Outgoing HTTP Domain alasra-paper.duckdns.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"alasra-paper.duckdns.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])alasra\-paper\.duckdns\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4048172; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/110;) alert dns any any -> any any (msg: "MISP e110 [tlp:white] Domain hamas-wathaq.duckdns.org"; dns.query; content:"hamas-wathaq.duckdns.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])hamas\-wathaq\.duckdns\.org$/i"; classtype:trojan-activity; sid:4048181; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/110;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e110 [tlp:white] Outgoing HTTP Domain hamas-wathaq.duckdns.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hamas-wathaq.duckdns.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hamas\-wathaq\.duckdns\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4048182; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/110;) alert dns any any -> any any (msg: "MISP e110 [tlp:white] Domain download.data-server.cloudns.club"; dns.query; content:"download.data-server.cloudns.club"; nocase; pcre: "/(^|[^A-Za-z0-9-])download\.data\-server\.cloudns\.club$/i"; classtype:trojan-activity; sid:4048191; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/110;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e110 [tlp:white] Outgoing HTTP Domain download.data-server.cloudns.club"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"download.data-server.cloudns.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])download\.data\-server\.cloudns\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4048192; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/110;) alert dns any any -> any any (msg: "MISP e110 [tlp:white] Domain upgrade.newshelpyou.com"; dns.query; content:"upgrade.newshelpyou.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])upgrade\.newshelpyou\.com$/i"; classtype:trojan-activity; sid:4048201; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/110;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e110 [tlp:white] Outgoing HTTP Domain upgrade.newshelpyou.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"upgrade.newshelpyou.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])upgrade\.newshelpyou\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4048202; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/110;) alert dns any any -> any any (msg: "MISP e110 [tlp:white] Domain manual.newphoneapp.com"; dns.query; content:"manual.newphoneapp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])manual\.newphoneapp\.com$/i"; classtype:trojan-activity; sid:4048211; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/110;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e110 [tlp:white] Outgoing HTTP Domain manual.newphoneapp.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"manual.newphoneapp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])manual\.newphoneapp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4048212; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/110;) alert dns any any -> any any (msg: "MISP e110 [tlp:white] Domain hnoor.newphoneapp.com"; dns.query; content:"hnoor.newphoneapp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])hnoor\.newphoneapp\.com$/i"; classtype:trojan-activity; sid:4048221; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/110;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e110 [tlp:white] Outgoing HTTP Domain hnoor.newphoneapp.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hnoor.newphoneapp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hnoor\.newphoneapp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4048222; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/110;) alert dns any any -> any any (msg: "MISP e110 [tlp:white] Domain lol.mynetav.org"; dns.query; content:"lol.mynetav.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])lol\.mynetav\.org$/i"; classtype:trojan-activity; sid:4048231; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/110;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e110 [tlp:white] Outgoing HTTP Domain lol.mynetav.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lol.mynetav.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lol\.mynetav\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4048232; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/110;) alert ip $HOME_NET any -> 138.68.242.68 any (msg: "MISP e110 [tlp:white] Outgoing To IP: 138.68.242.68"; classtype:trojan-activity; sid:4048241; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/110;) alert ip $HOME_NET any -> 185.86.149.168 any (msg: "MISP e110 [tlp:white] Outgoing To IP: 185.86.149.168"; classtype:trojan-activity; sid:4048251; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/110;) alert ip $HOME_NET any -> 185.11.146.68 any (msg: "MISP e110 [tlp:white] Outgoing To IP: 185.11.146.68"; classtype:trojan-activity; sid:4048261; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/110;) alert ip $HOME_NET any -> 45.32.84.66 any (msg: "MISP e110 [tlp:white] Outgoing To IP: 45.32.84.66"; classtype:trojan-activity; sid:4048271; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/110;) alert ip $HOME_NET any -> 45.32.71.95 any (msg: "MISP e110 [tlp:white] Outgoing To IP: 45.32.71.95"; classtype:trojan-activity; sid:4048281; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/110;) alert ip $HOME_NET any -> 107.161.27.158 any (msg: "MISP e110 [tlp:white] Outgoing To IP: 107.161.27.158"; classtype:trojan-activity; sid:4048291; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/110;) alert ip $HOME_NET any -> 46.246.87.74 any (msg: "MISP e110 [tlp:white] Outgoing To IP: 46.246.87.74"; classtype:trojan-activity; sid:4048301; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/110;) alert dns any any -> any any (msg: "MISP e111 [tlp:white] Domain mikemuder.com"; dns.query; content:"mikemuder.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mikemuder\.com$/i"; classtype:trojan-activity; sid:4048821; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/111;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e111 [tlp:white] Outgoing HTTP Domain mikemuder.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mikemuder.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mikemuder\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4048822; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/111;) alert ip $HOME_NET any -> 67.195.61.46 any (msg: "MISP e111 [tlp:white] Outgoing To IP: 67.195.61.46"; classtype:trojan-activity; sid:4048831; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/111;) alert dns any any -> any any (msg: "MISP e111 [tlp:white] Domain dverioptomtut.ru"; dns.query; content:"dverioptomtut.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])dverioptomtut\.ru$/i"; classtype:trojan-activity; sid:4049161; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/111;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e111 [tlp:white] Outgoing HTTP Domain dverioptomtut.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dverioptomtut.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dverioptomtut\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4049162; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/111;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e111 [tlp:white] Outgoing URL settleware.com/blog/wp-content/themes/inove/templates/html/krang.wwt"; flow:to_server,established; http.uri; content:"settleware.com/blog/wp-content/themes/inove/templates/html/krang.wwt"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4049181; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/111;) alert dns any any -> any any (msg: "MISP e111 [tlp:white] Domain hppavag0ab9raaz.club"; dns.query; content:"hppavag0ab9raaz.club"; nocase; pcre: "/(^|[^A-Za-z0-9-])hppavag0ab9raaz\.club$/i"; classtype:trojan-activity; sid:4049231; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/111;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e111 [tlp:white] Outgoing HTTP Domain hppavag0ab9raaz.club"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hppavag0ab9raaz.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hppavag0ab9raaz\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4049232; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/111;) alert dns any any -> any any (msg: "MISP e111 [tlp:white] Domain havagab9raaz.club"; dns.query; content:"havagab9raaz.club"; nocase; pcre: "/(^|[^A-Za-z0-9-])havagab9raaz\.club$/i"; classtype:trojan-activity; sid:4049241; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/111;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e111 [tlp:white] Outgoing HTTP Domain havagab9raaz.club"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"havagab9raaz.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])havagab9raaz\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4049242; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/111;) alert ip $HOME_NET any -> 82.146.59.228 any (msg: "MISP e111 [tlp:white] Outgoing To IP: 82.146.59.228"; classtype:trojan-activity; sid:4049251; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/111;) alert ip $HOME_NET any -> 185.161.209.81 any (msg: "MISP e112 [tlp:white] Outgoing To IP: 185.161.209.81"; classtype:trojan-activity; sid:4049481; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/112;) alert dns any any -> any any (msg: "MISP e113 [tlp:white] Domain weruuoqweiur.com"; dns.query; content:"weruuoqweiur.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])weruuoqweiur\.com$/i"; classtype:trojan-activity; sid:4049491; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/113;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e113 [tlp:white] Outgoing HTTP Domain weruuoqweiur.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"weruuoqweiur.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])weruuoqweiur\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4049492; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/113;) alert dns any any -> any any (msg: "MISP e113 [tlp:white] Hostname e.hl852.com"; dns.query; content:"e.hl852.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])e\.hl852\.com$/i"; classtype:trojan-activity; sid:4049501; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/113;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e113 [tlp:white] Outgoing HTTP Hostname e.hl852.com"; flow:to_server,established; http.header; content: "Host|3a| e.hl852.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])e\.hl852\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4049502; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/113;) alert dns any any -> any any (msg: "MISP e113 [tlp:white] Hostname e.ha859.com"; dns.query; content:"e.ha859.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])e\.ha859\.com$/i"; classtype:trojan-activity; sid:4049511; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/113;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e113 [tlp:white] Outgoing HTTP Hostname e.ha859.com"; flow:to_server,established; http.header; content: "Host|3a| e.ha859.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])e\.ha859\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4049512; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/113;) alert ip $HOME_NET any -> 27.102.101.121 any (msg: "MISP e113 [tlp:white] Outgoing To IP: 27.102.101.121"; classtype:trojan-activity; sid:4049521; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/113;) alert ip $HOME_NET any -> 217.155.58.226 any (msg: "MISP e113 [tlp:white] Outgoing To IP: 217.155.58.226"; classtype:trojan-activity; sid:4049531; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/113;) alert ip $HOME_NET any -> 85.229.43.75 any (msg: "MISP e113 [tlp:white] Outgoing To IP: 85.229.43.75"; classtype:trojan-activity; sid:4049541; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/113;) alert ip $HOME_NET any -> 213.185.228.42 any (msg: "MISP e113 [tlp:white] Outgoing To IP: 213.185.228.42"; classtype:trojan-activity; sid:4049551; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/113;) alert ip $HOME_NET any -> 218.186.0.186 any (msg: "MISP e113 [tlp:white] Outgoing To IP: 218.186.0.186"; classtype:trojan-activity; sid:4049561; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/113;) alert ip $HOME_NET any -> 103.56.233.78 any (msg: "MISP e113 [tlp:white] Outgoing To IP: 103.56.233.78"; classtype:trojan-activity; sid:4049571; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/113;) alert ip $HOME_NET any -> 103.245.77.113 any (msg: "MISP e113 [tlp:white] Outgoing To IP: 103.245.77.113"; classtype:trojan-activity; sid:4049581; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/113;) alert ip $HOME_NET any -> 116.58.254.40 any (msg: "MISP e113 [tlp:white] Outgoing To IP: 116.58.254.40"; classtype:trojan-activity; sid:4049591; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/113;) alert ip $HOME_NET any -> 201.242.171.137 any (msg: "MISP e113 [tlp:white] Outgoing To IP: 201.242.171.137"; classtype:trojan-activity; sid:4049601; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/113;) alert ip $HOME_NET any -> 36.85.177.3 any (msg: "MISP e113 [tlp:white] Outgoing To IP: 36.85.177.3"; classtype:trojan-activity; sid:4049611; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/113;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e114 [tlp:white] Outgoing URL http|3a|//mumbai-m.site"; flow:to_server,established; http.header; content:"mumbai-m.site"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4049751; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/114;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e114 [tlp:white] Outgoing URL http|3a|//dns-update.club"; flow:to_server,established; http.header; content:"dns-update.club"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4049761; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/114;) alert ip $HOME_NET any -> 94.23.172.164 any (msg: "MISP e114 [tlp:white] Outgoing To IP: 94.23.172.164"; classtype:trojan-activity; sid:4049781; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/114;) alert dns any any -> any any (msg: "MISP e114 [tlp:white] Domain proxycheker.pro"; dns.query; content:"proxycheker.pro"; nocase; pcre: "/(^|[^A-Za-z0-9-])proxycheker\.pro$/i"; classtype:trojan-activity; sid:4049811; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/114;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e114 [tlp:white] Outgoing HTTP Domain proxycheker.pro"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"proxycheker.pro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])proxycheker\.pro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4049812; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/114;) alert ip $HOME_NET any -> 46.105.221.247 any (msg: "MISP e114 [tlp:white] Outgoing To IP: 46.105.221.247"; classtype:trojan-activity; sid:4049821; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/114;) alert ip $HOME_NET any -> 148.251.55.110 any (msg: "MISP e114 [tlp:white] Outgoing To IP: 148.251.55.110"; classtype:trojan-activity; sid:4049831; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/114;) alert ip $HOME_NET any -> 185.15.247.147 any (msg: "MISP e114 [tlp:white] Outgoing To IP: 185.15.247.147"; classtype:trojan-activity; sid:4049841; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/114;) alert ip $HOME_NET any -> 145.239.33.100 any (msg: "MISP e114 [tlp:white] Outgoing To IP: 145.239.33.100"; classtype:trojan-activity; sid:4049851; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/114;) alert ip $HOME_NET any -> 82.102.14.219 any (msg: "MISP e114 [tlp:white] Outgoing To IP: 82.102.14.219"; classtype:trojan-activity; sid:4049861; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/114;) alert dns any any -> any any (msg: "MISP e114 [tlp:white] Domain hpserver.online"; dns.query; content:"hpserver.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])hpserver\.online$/i"; classtype:trojan-activity; sid:4049941; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/114;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e114 [tlp:white] Outgoing HTTP Domain hpserver.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hpserver.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hpserver\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4049942; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/114;) alert dns any any -> any any (msg: "MISP e114 [tlp:white] Domain anyportals.com"; dns.query; content:"anyportals.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])anyportals\.com$/i"; classtype:trojan-activity; sid:4050001; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/114;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e114 [tlp:white] Outgoing HTTP Domain anyportals.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"anyportals.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])anyportals\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4050002; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/114;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e115 [tlp:white] Outgoing URL http|3a|//partytimeevents.nl/contactgegevens%2012_2017_10_00_.zip"; flow:to_server,established; http.header; content:"partytimeevents.nl"; fast_pattern; nocase; http.uri; content:"/contactgegevens%2012_2017_10_00_.zip"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4050021; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/115;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e115 [tlp:white] Outgoing URL http|3a|//stegengaweb.nl/files/contactgegevens%2012_2017_10_00_.zip"; flow:to_server,established; http.header; content:"stegengaweb.nl"; fast_pattern; nocase; http.uri; content:"/files/contactgegevens%2012_2017_10_00_.zip"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4050031; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/115;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e115 [tlp:white] Outgoing URL http|3a|//axprofessional.it/onenl.exe"; flow:to_server,established; http.header; content:"axprofessional.it"; fast_pattern; nocase; http.uri; content:"/onenl.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4050041; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/115;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e115 [tlp:white] Outgoing URL https|3a|//avimart.ru/3inexowtoqiyzlonyunku.dat"; tls.sni; content:"avimart.ru"; tag:session,600,seconds; classtype:trojan-activity; sid:4050051; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/115;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e115 [tlp:white] Outgoing URL https|3a|//astronatal.ru/2odirnaogfaugdoxiwoex.dat"; tls.sni; content:"astronatal.ru"; tag:session,600,seconds; classtype:trojan-activity; sid:4050061; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/115;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e115 [tlp:white] Outgoing URL https|3a|//abci.ru/1yhubydnopyakleqinyyx.dat"; tls.sni; content:"abci.ru"; tag:session,600,seconds; classtype:trojan-activity; sid:4050071; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/115;) alert ip $HOME_NET any -> 185.224.133.57 any (msg: "MISP e115 [tlp:white] Outgoing To IP: 185.224.133.57"; classtype:trojan-activity; sid:4050081; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/115;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e115 [tlp:white] Outgoing URL https|3a|//adsfun.club/"; tls.sni; content:"adsfun.club"; tag:session,600,seconds; classtype:trojan-activity; sid:4050091; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/115;) alert dns any any -> any any (msg: "MISP e117 [tlp:white] Hostname adfs.senate.group"; dns.query; content:"adfs.senate.group"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])adfs\.senate\.group$/i"; classtype:trojan-activity; sid:4050311; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/117;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e117 [tlp:white] Outgoing HTTP Hostname adfs.senate.group"; flow:to_server,established; http.header; content: "Host|3a| adfs.senate.group"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])adfs\.senate\.group[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4050312; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/117;) alert dns any any -> any any (msg: "MISP e117 [tlp:white] Domain adfs-senate.email"; dns.query; content:"adfs-senate.email"; nocase; pcre: "/(^|[^A-Za-z0-9-])adfs\-senate\.email$/i"; classtype:trojan-activity; sid:4050321; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/117;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e117 [tlp:white] Outgoing HTTP Domain adfs-senate.email"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"adfs-senate.email"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])adfs\-senate\.email[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4050322; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/117;) alert dns any any -> any any (msg: "MISP e117 [tlp:white] Domain adfs-senate.services"; dns.query; content:"adfs-senate.services"; nocase; pcre: "/(^|[^A-Za-z0-9-])adfs\-senate\.services$/i"; classtype:trojan-activity; sid:4050331; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/117;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e117 [tlp:white] Outgoing HTTP Domain adfs-senate.services"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"adfs-senate.services"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])adfs\-senate\.services[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4050332; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/117;) alert dns any any -> any any (msg: "MISP e117 [tlp:white] Hostname adfs.senate.qov.info"; dns.query; content:"adfs.senate.qov.info"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])adfs\.senate\.qov\.info$/i"; classtype:trojan-activity; sid:4050341; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/117;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e117 [tlp:white] Outgoing HTTP Hostname adfs.senate.qov.info"; flow:to_server,established; http.header; content: "Host|3a| adfs.senate.qov.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])adfs\.senate\.qov\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4050342; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/117;) alert dns any any -> any any (msg: "MISP e117 [tlp:white] Hostname chmail.ir.udelivered.tk"; dns.query; content:"chmail.ir.udelivered.tk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])chmail\.ir\.udelivered\.tk$/i"; classtype:trojan-activity; sid:4050351; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/117;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e117 [tlp:white] Outgoing HTTP Hostname chmail.ir.udelivered.tk"; flow:to_server,established; http.header; content: "Host|3a| chmail.ir.udelivered.tk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])chmail\.ir\.udelivered\.tk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4050352; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/117;) alert dns any any -> any any (msg: "MISP e117 [tlp:white] Domain webmail-ibsf.org"; dns.query; content:"webmail-ibsf.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])webmail\-ibsf\.org$/i"; classtype:trojan-activity; sid:4050361; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/117;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e117 [tlp:white] Outgoing HTTP Domain webmail-ibsf.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"webmail-ibsf.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])webmail\-ibsf\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4050362; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/117;) alert dns any any -> any any (msg: "MISP e117 [tlp:white] Domain fil-luge.com"; dns.query; content:"fil-luge.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])fil\-luge\.com$/i"; classtype:trojan-activity; sid:4050371; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/117;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e117 [tlp:white] Outgoing HTTP Domain fil-luge.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fil-luge.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fil\-luge\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4050372; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/117;) alert dns any any -> any any (msg: "MISP e117 [tlp:white] Domain biathlovvorld.com"; dns.query; content:"biathlovvorld.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])biathlovvorld\.com$/i"; classtype:trojan-activity; sid:4050381; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/117;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e117 [tlp:white] Outgoing HTTP Domain biathlovvorld.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"biathlovvorld.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])biathlovvorld\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4050382; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/117;) alert dns any any -> any any (msg: "MISP e117 [tlp:white] Domain mail-ibu.eu"; dns.query; content:"mail-ibu.eu"; nocase; pcre: "/(^|[^A-Za-z0-9-])mail\-ibu\.eu$/i"; classtype:trojan-activity; sid:4050391; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/117;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e117 [tlp:white] Outgoing HTTP Domain mail-ibu.eu"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mail-ibu.eu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mail\-ibu\.eu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4050392; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/117;) alert dns any any -> any any (msg: "MISP e117 [tlp:white] Domain fisski.ca"; dns.query; content:"fisski.ca"; nocase; pcre: "/(^|[^A-Za-z0-9-])fisski\.ca$/i"; classtype:trojan-activity; sid:4050401; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/117;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e117 [tlp:white] Outgoing HTTP Domain fisski.ca"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fisski.ca"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fisski\.ca[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4050402; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/117;) alert dns any any -> any any (msg: "MISP e117 [tlp:white] Domain iihf.eu"; dns.query; content:"iihf.eu"; nocase; pcre: "/(^|[^A-Za-z0-9-])iihf\.eu$/i"; classtype:trojan-activity; sid:4050411; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/117;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e117 [tlp:white] Outgoing HTTP Domain iihf.eu"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"iihf.eu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])iihf\.eu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4050412; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/117;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e118 [tlp:white] Outgoing URL http|3a|//discgolfglow.com/wp-content/plugins/maintenance/images/worker.jpg"; flow:to_server,established; http.header; content:"discgolfglow.com"; fast_pattern; nocase; http.uri; content:"/wp-content/plugins/maintenance/images/worker.jpg"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4050481; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/118;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e118 [tlp:white] Outgoing URL http|3a|//acddesigns.com.au/clients/ACPRCM/kingstone.jpg"; flow:to_server,established; http.header; content:"acddesigns.com.au"; fast_pattern; nocase; http.uri; content:"/clients/ACPRCM/kingstone.jpg"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4050491; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/118;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e118 [tlp:white] Outgoing URL www.imuz.com/admin/data/bbs/review2/board/index.php"; flow:to_server,established; http.uri; content:"www.imuz.com/admin/data/bbs/review2/board/index.php"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4050641; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/118;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e118 [tlp:white] Outgoing URL www.imuz.com/admin/data/bbs/review2/board/123.php"; flow:to_server,established; http.uri; content:"www.imuz.com/admin/data/bbs/review2/board/123.php"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4050651; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/118;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e118 [tlp:white] Outgoing URL www.wildrush.co.kr/bbs/data/image/work/webproxy.php"; flow:to_server,established; http.uri; content:"www.wildrush.co.kr/bbs/data/image/work/webproxy.php"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4050661; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/118;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e118 [tlp:white] Outgoing URL www.belasting-telefoon.nl//images/banners/temp/index.php"; flow:to_server,established; http.uri; content:"www.belasting-telefoon.nl//images/banners/temp/index.php"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4050671; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/118;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e118 [tlp:white] Outgoing URL www.kgls.or.kr/news2/news_dir/index.php"; flow:to_server,established; http.uri; content:"www.kgls.or.kr/news2/news_dir/index.php"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4050681; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/118;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e118 [tlp:white] Outgoing URL http|3a|//old.jrchina.com/btob_asiana/udel_calcel.php?fdid=[base64_data]"; flow:to_server,established; http.header; content:"old.jrchina.com"; fast_pattern; nocase; http.uri; content:"/btob_asiana/udel_calcel.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4050761; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/118;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e118 [tlp:white] Outgoing URL http|3a|//old.jrchina.com/btob_asiana/appach01.jpg"; flow:to_server,established; http.header; content:"old.jrchina.com"; fast_pattern; nocase; http.uri; content:"/btob_asiana/appach01.jpg"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4050771; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/118;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e118 [tlp:white] Outgoing URL http|3a|//old.jrchina.com/btob_asiana/appach02.jpg"; flow:to_server,established; http.header; content:"old.jrchina.com"; fast_pattern; nocase; http.uri; content:"/btob_asiana/appach02.jpg"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4050781; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/118;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e118 [tlp:white] Outgoing URL http|3a|//old.jrchina.com/btob_asiana/udel_ok.ipp"; flow:to_server,established; http.header; content:"old.jrchina.com"; fast_pattern; nocase; http.uri; content:"/btob_asiana/udel_ok.ipp"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4050791; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/118;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e118 [tlp:white] Outgoing URL http|3a|//old.jrchina.com/btob_asiana/udel_confirm.php"; flow:to_server,established; http.header; content:"old.jrchina.com"; fast_pattern; nocase; http.uri; content:"/btob_asiana/udel_confirm.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4050801; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/118;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e118 [tlp:white] Outgoing URL http|3a|//60chicken.co.kr/wysiwyg/PEG_temp/logo1.png"; flow:to_server,established; http.header; content:"60chicken.co.kr"; fast_pattern; nocase; http.uri; content:"/wysiwyg/PEG_temp/logo1.png"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4050891; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/118;) alert ip $HOME_NET any -> 154.16.93.182 any (msg: "MISP e119 [tlp:white] Outgoing To IP: 154.16.93.182"; classtype:trojan-activity; sid:4050961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/119;) alert ip $HOME_NET any -> 85.214.136.179 any (msg: "MISP e119 [tlp:white] Outgoing To IP: 85.214.136.179"; classtype:trojan-activity; sid:4050971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/119;) alert ip $HOME_NET any -> 178.254.21.218 any (msg: "MISP e119 [tlp:white] Outgoing To IP: 178.254.21.218"; classtype:trojan-activity; sid:4050981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/119;) alert ip $HOME_NET any -> 159.203.42.107 any (msg: "MISP e119 [tlp:white] Outgoing To IP: 159.203.42.107"; classtype:trojan-activity; sid:4050991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/119;) alert ip $HOME_NET any -> 217.12.223.216 any (msg: "MISP e119 [tlp:white] Outgoing To IP: 217.12.223.216"; classtype:trojan-activity; sid:4051001; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/119;) alert ip $HOME_NET any -> 138.201.143.186 any (msg: "MISP e119 [tlp:white] Outgoing To IP: 138.201.143.186"; classtype:trojan-activity; sid:4051011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/119;) alert ip $HOME_NET any -> 216.244.85.211 any (msg: "MISP e119 [tlp:white] Outgoing To IP: 216.244.85.211"; classtype:trojan-activity; sid:4051021; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/119;) alert ip $HOME_NET any -> 51.15.78.0 any (msg: "MISP e119 [tlp:white] Outgoing To IP: 51.15.78.0"; classtype:trojan-activity; sid:4051031; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/119;) alert ip $HOME_NET any -> 213.251.226.175 any (msg: "MISP e119 [tlp:white] Outgoing To IP: 213.251.226.175"; classtype:trojan-activity; sid:4051041; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/119;) alert ip $HOME_NET any -> 93.95.100.202 any (msg: "MISP e119 [tlp:white] Outgoing To IP: 93.95.100.202"; classtype:trojan-activity; sid:4051051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/119;) alert dns any any -> any any (msg: "MISP e119 [tlp:white] Hostname warnono.punkdns.top"; dns.query; content:"warnono.punkdns.top"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])warnono\.punkdns\.top$/i"; classtype:trojan-activity; sid:4051061; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/119;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e119 [tlp:white] Outgoing HTTP Hostname warnono.punkdns.top"; flow:to_server,established; http.header; content: "Host|3a| warnono.punkdns.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])warnono\.punkdns\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4051062; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/119;) alert ip $HOME_NET any -> 188.25.175.38 any (msg: "MISP e120 [tlp:white] Outgoing To IP: 188.25.175.38"; classtype:trojan-activity; sid:4051171; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert ip $HOME_NET any -> 109.166.237.170 any (msg: "MISP e120 [tlp:white] Outgoing To IP: 109.166.237.170"; classtype:trojan-activity; sid:4051181; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert ip $HOME_NET any -> 212.98.131.181 any (msg: "MISP e120 [tlp:white] Outgoing To IP: 212.98.131.181"; classtype:trojan-activity; sid:4051191; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert ip $HOME_NET any -> 86.120.77.221 any (msg: "MISP e120 [tlp:white] Outgoing To IP: 86.120.77.221"; classtype:trojan-activity; sid:4051201; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert ip $HOME_NET any -> 80.80.165.93 any (msg: "MISP e120 [tlp:white] Outgoing To IP: 80.80.165.93"; classtype:trojan-activity; sid:4051211; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert ip $HOME_NET any -> 186.73.245.226 any (msg: "MISP e120 [tlp:white] Outgoing To IP: 186.73.245.226"; classtype:trojan-activity; sid:4051221; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert ip $HOME_NET any -> 188.237.190.24 any (msg: "MISP e120 [tlp:white] Outgoing To IP: 188.237.190.24"; classtype:trojan-activity; sid:4051231; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert ip $HOME_NET any -> 184.168.187.1 any (msg: "MISP e120 [tlp:white] Outgoing To IP: 184.168.187.1"; classtype:trojan-activity; sid:4051241; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert ip $HOME_NET any -> 86.120.168.154 any (msg: "MISP e120 [tlp:white] Outgoing To IP: 86.120.168.154"; classtype:trojan-activity; sid:4051251; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert ip $HOME_NET any -> 203.91.116.53 any (msg: "MISP e120 [tlp:white] Outgoing To IP: 203.91.116.53"; classtype:trojan-activity; sid:4051261; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert ip $HOME_NET any -> 155.133.93.30 any (msg: "MISP e120 [tlp:white] Outgoing To IP: 155.133.93.30"; classtype:trojan-activity; sid:4051271; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert ip $HOME_NET any -> 85.105.167.110 any (msg: "MISP e120 [tlp:white] Outgoing To IP: 85.105.167.110"; classtype:trojan-activity; sid:4051281; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert ip $HOME_NET any -> 84.54.187.24 any (msg: "MISP e120 [tlp:white] Outgoing To IP: 84.54.187.24"; classtype:trojan-activity; sid:4051291; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert ip $HOME_NET any -> 213.6.121.106 any (msg: "MISP e120 [tlp:white] Outgoing To IP: 213.6.121.106"; classtype:trojan-activity; sid:4051301; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert ip $HOME_NET any -> 90.180.1.23 any (msg: "MISP e120 [tlp:white] Outgoing To IP: 90.180.1.23"; classtype:trojan-activity; sid:4051311; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert ip $HOME_NET any -> 41.193.159.41 any (msg: "MISP e120 [tlp:white] Outgoing To IP: 41.193.159.41"; classtype:trojan-activity; sid:4051321; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert ip $HOME_NET any -> 69.90.132.196 any (msg: "MISP e120 [tlp:white] Outgoing To IP: 69.90.132.196"; classtype:trojan-activity; sid:4051331; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert ip $HOME_NET any -> 69.75.114.66 any (msg: "MISP e120 [tlp:white] Outgoing To IP: 69.75.114.66"; classtype:trojan-activity; sid:4051341; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert ip $HOME_NET any -> 74.50.133.9 any (msg: "MISP e120 [tlp:white] Outgoing To IP: 74.50.133.9"; classtype:trojan-activity; sid:4051351; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert ip $HOME_NET any -> 95.150.74.40 any (msg: "MISP e120 [tlp:white] Outgoing To IP: 95.150.74.40"; classtype:trojan-activity; sid:4051361; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert ip $HOME_NET any -> 179.108.87.11 any (msg: "MISP e120 [tlp:white] Outgoing To IP: 179.108.87.11"; classtype:trojan-activity; sid:4051371; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert ip $HOME_NET any -> 190.208.42.36 any (msg: "MISP e120 [tlp:white] Outgoing To IP: 190.208.42.36"; classtype:trojan-activity; sid:4051381; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert dns any any -> any any (msg: "MISP e120 [tlp:white] Domain ijqdjqnwiduqujqiuezxc.com"; dns.query; content:"ijqdjqnwiduqujqiuezxc.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ijqdjqnwiduqujqiuezxc\.com$/i"; classtype:trojan-activity; sid:4051391; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e120 [tlp:white] Outgoing HTTP Domain ijqdjqnwiduqujqiuezxc.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ijqdjqnwiduqujqiuezxc.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ijqdjqnwiduqujqiuezxc\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4051392; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert dns any any -> any any (msg: "MISP e120 [tlp:white] Domain adistributedmean.net"; dns.query; content:"adistributedmean.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])adistributedmean\.net$/i"; classtype:trojan-activity; sid:4051401; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e120 [tlp:white] Outgoing HTTP Domain adistributedmean.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"adistributedmean.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])adistributedmean\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4051402; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert dns any any -> any any (msg: "MISP e120 [tlp:white] Domain fyibc.com"; dns.query; content:"fyibc.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])fyibc\.com$/i"; classtype:trojan-activity; sid:4051411; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e120 [tlp:white] Outgoing HTTP Domain fyibc.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fyibc.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fyibc\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4051412; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert dns any any -> any any (msg: "MISP e120 [tlp:white] Domain fortrunernaskdneazxd.com"; dns.query; content:"fortrunernaskdneazxd.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])fortrunernaskdneazxd\.com$/i"; classtype:trojan-activity; sid:4051421; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e120 [tlp:white] Outgoing HTTP Domain fortrunernaskdneazxd.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fortrunernaskdneazxd.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fortrunernaskdneazxd\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4051422; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert dns any any -> any any (msg: "MISP e120 [tlp:white] Domain bithedistributedlicense.net"; dns.query; content:"bithedistributedlicense.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])bithedistributedlicense\.net$/i"; classtype:trojan-activity; sid:4051431; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e120 [tlp:white] Outgoing HTTP Domain bithedistributedlicense.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bithedistributedlicense.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bithedistributedlicense\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4051432; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert dns any any -> any any (msg: "MISP e120 [tlp:white] Domain fyicreative.ca"; dns.query; content:"fyicreative.ca"; nocase; pcre: "/(^|[^A-Za-z0-9-])fyicreative\.ca$/i"; classtype:trojan-activity; sid:4051441; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e120 [tlp:white] Outgoing HTTP Domain fyicreative.ca"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fyicreative.ca"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fyicreative\.ca[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4051442; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/120;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e121 [tlp:white] Outgoing URL http|3a|//i.imgur.com/D2NZc31.png"; flow:to_server,established; http.header; content:"i.imgur.com"; fast_pattern; nocase; http.uri; content:"/D2NZc31.png"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4051451; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/121;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e121 [tlp:white] Outgoing URL http|3a|//i.imgur.com/erx3KtI.png"; flow:to_server,established; http.header; content:"i.imgur.com"; fast_pattern; nocase; http.uri; content:"/erx3KtI.png"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4051461; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/121;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e121 [tlp:white] Outgoing URL http|3a|//argenta.be.klant-aanvragen.a2hosted.com/adebbbaf406ff44ee42334afb0a5cab3/"; flow:to_server,established; http.header; content:"argenta.be.klant-aanvragen.a2hosted.com"; fast_pattern; nocase; http.uri; content:"/adebbbaf406ff44ee42334afb0a5cab3/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4051471; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/121;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e121 [tlp:white] Outgoing URL https|3a|//bitly.com/2BFJzjf"; tls.sni; content:"bitly.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4051481; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/121;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e123 [tlp:white] Outgoing URL http|3a|//www.1588-2040.co.kr/conf/product_old.jpg"; flow:to_server,established; http.header; content:"www.1588-2040.co.kr"; fast_pattern; nocase; http.uri; content:"/conf/product_old.jpg"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4051571; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/123;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e123 [tlp:white] Outgoing URL http|3a|//www.1588-2040.co.kr/design/m/images/image/image.php"; flow:to_server,established; http.header; content:"www.1588-2040.co.kr"; fast_pattern; nocase; http.uri; content:"/design/m/images/image/image.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4051581; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/123;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e123 [tlp:white] Outgoing URL http|3a|//www.korea-tax.info/main/local.php"; flow:to_server,established; http.header; content:"www.korea-tax.info"; fast_pattern; nocase; http.uri; content:"/main/local.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4051591; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/123;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e123 [tlp:white] Outgoing URL http|3a|//www.dylboiler.co.kr/admincenter/files/board/4/manager.php"; flow:to_server,established; http.header; content:"www.dylboiler.co.kr"; fast_pattern; nocase; http.uri; content:"/admincenter/files/board/4/manager.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4051601; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/123;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e123 [tlp:white] Outgoing URL http|3a|//www.dylboiler.co.kr/admincenter/files/boad/4/manager.php"; flow:to_server,established; http.header; content:"www.dylboiler.co.kr"; fast_pattern; nocase; http.uri; content:"/admincenter/files/boad/4/manager.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4051651; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/123;) alert dns any any -> any any (msg: "MISP e124 [tlp:white] Domain office-update.services"; dns.query; content:"office-update.services"; nocase; pcre: "/(^|[^A-Za-z0-9-])office\-update\.services$/i"; classtype:trojan-activity; sid:4051681; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/124;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e124 [tlp:white] Outgoing HTTP Domain office-update.services"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"office-update.services"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])office\-update\.services[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4051682; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/124;) alert ip $HOME_NET any -> 176.107.185.246 any (msg: "MISP e124 [tlp:white] Outgoing To IP: 176.107.185.246"; classtype:trojan-activity; sid:4051691; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/124;) alert dns any any -> any any (msg: "MISP e124 [tlp:white] Domain jo.foxlove.life"; dns.query; content:"jo.foxlove.life"; nocase; pcre: "/(^|[^A-Za-z0-9-])jo\.foxlove\.life$/i"; classtype:trojan-activity; sid:4051721; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/124;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e124 [tlp:white] Outgoing HTTP Domain jo.foxlove.life"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jo.foxlove.life"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jo\.foxlove\.life[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4051722; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/124;) alert dns any any -> any any (msg: "MISP e124 [tlp:white] Domain eg.foxlove.life"; dns.query; content:"eg.foxlove.life"; nocase; pcre: "/(^|[^A-Za-z0-9-])eg\.foxlove\.life$/i"; classtype:trojan-activity; sid:4051731; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/124;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e124 [tlp:white] Outgoing HTTP Domain eg.foxlove.life"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"eg.foxlove.life"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])eg\.foxlove\.life[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4051732; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/124;) alert dns any any -> any any (msg: "MISP e124 [tlp:white] Domain fox.foxlove.life"; dns.query; content:"fox.foxlove.life"; nocase; pcre: "/(^|[^A-Za-z0-9-])fox\.foxlove\.life$/i"; classtype:trojan-activity; sid:4051741; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/124;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e124 [tlp:white] Outgoing HTTP Domain fox.foxlove.life"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fox.foxlove.life"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fox\.foxlove\.life[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4051742; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/124;) alert dns any any -> any any (msg: "MISP e124 [tlp:white] Domain download.share2file.pro"; dns.query; content:"download.share2file.pro"; nocase; pcre: "/(^|[^A-Za-z0-9-])download\.share2file\.pro$/i"; classtype:trojan-activity; sid:4051771; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/124;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e124 [tlp:white] Outgoing HTTP Domain download.share2file.pro"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"download.share2file.pro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])download\.share2file\.pro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4051772; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/124;) alert dns any any -> any any (msg: "MISP e124 [tlp:white] Domain update.share2file.pro"; dns.query; content:"update.share2file.pro"; nocase; pcre: "/(^|[^A-Za-z0-9-])update\.share2file\.pro$/i"; classtype:trojan-activity; sid:4051811; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/124;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e124 [tlp:white] Outgoing HTTP Domain update.share2file.pro"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"update.share2file.pro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])update\.share2file\.pro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4051812; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/124;) alert ip $HOME_NET any -> 192.152.0.152 any (msg: "MISP e125 [tlp:white] Outgoing To IP: 192.152.0.152"; classtype:trojan-activity; sid:4051851; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/125;) alert dns any any -> any any (msg: "MISP e125 [tlp:white] Hostname liltem.flu.cc"; dns.query; content:"liltem.flu.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])liltem\.flu\.cc$/i"; classtype:trojan-activity; sid:4051861; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/125;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e125 [tlp:white] Outgoing HTTP Hostname liltem.flu.cc"; flow:to_server,established; http.header; content: "Host|3a| liltem.flu.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])liltem\.flu\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4051862; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/125;) alert ip $HOME_NET any -> 185.145.128.60 any (msg: "MISP e125 [tlp:white] Outgoing To IP: 185.145.128.60"; classtype:trojan-activity; sid:4051901; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/125;) alert dns any any -> any any (msg: "MISP e125 [tlp:white] Domain festy18.info"; dns.query; content:"festy18.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])festy18\.info$/i"; classtype:trojan-activity; sid:4051911; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/125;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e125 [tlp:white] Outgoing HTTP Domain festy18.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"festy18.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])festy18\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4051912; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/125;) alert ip $HOME_NET any -> 101.99.75.184 any (msg: "MISP e125 [tlp:white] Outgoing To IP: 101.99.75.184"; classtype:trojan-activity; sid:4051951; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/125;) alert dns any any -> any any (msg: "MISP e125 [tlp:white] Domain kdotraky.com"; dns.query; content:"kdotraky.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])kdotraky\.com$/i"; classtype:trojan-activity; sid:4051961; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/125;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e125 [tlp:white] Outgoing HTTP Domain kdotraky.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kdotraky.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kdotraky\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4051962; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/125;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e126 [tlp:white] Outgoing URL http|3a|//kdvm5fd6tn6jsbwh.onion"; flow:to_server,established; http.header; content:"kdvm5fd6tn6jsbwh.onion"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4052011; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/126;) alert dns any any -> any any (msg: "MISP e127 [tlp:white] Domain cdnverify.net"; dns.query; content:"cdnverify.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])cdnverify\.net$/i"; classtype:trojan-activity; sid:4052101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/127;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e127 [tlp:white] Outgoing HTTP Domain cdnverify.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cdnverify.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cdnverify\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4052102; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/127;) alert dns any any -> any any (msg: "MISP e129 [tlp:white] Domain bannerssale.com"; dns.query; content:"bannerssale.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bannerssale\.com$/i"; classtype:trojan-activity; sid:4052201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/129;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e129 [tlp:white] Outgoing HTTP Domain bannerssale.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bannerssale.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bannerssale\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4052202; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/129;) alert ip $HOME_NET any -> 159.65.131.94 any (msg: "MISP e129 [tlp:white] Outgoing To IP: 159.65.131.94"; classtype:trojan-activity; sid:4052211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/129;) alert dns any any -> any any (msg: "MISP e129 [tlp:white] Domain aquaadvertisement.com"; dns.query; content:"aquaadvertisement.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])aquaadvertisement\.com$/i"; classtype:trojan-activity; sid:4052221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/129;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e129 [tlp:white] Outgoing HTTP Domain aquaadvertisement.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aquaadvertisement.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aquaadvertisement\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4052222; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/129;) alert ip $HOME_NET any -> 159.65.131.95 any (msg: "MISP e129 [tlp:white] Outgoing To IP: 159.65.131.95"; classtype:trojan-activity; sid:4052231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/129;) alert dns any any -> any any (msg: "MISP e129 [tlp:white] Hostname listening.secondadvertisements.com"; dns.query; content:"listening.secondadvertisements.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])listening\.secondadvertisements\.com$/i"; classtype:trojan-activity; sid:4052241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/129;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e129 [tlp:white] Outgoing HTTP Hostname listening.secondadvertisements.com"; flow:to_server,established; http.header; content: "Host|3a| listening.secondadvertisements.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])listening\.secondadvertisements\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4052242; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/129;) alert ip $HOME_NET any -> 207.148.104.5 any (msg: "MISP e129 [tlp:white] Outgoing To IP: 207.148.104.5"; classtype:trojan-activity; sid:4052251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/129;) alert dns any any -> any any (msg: "MISP e130 [tlp:white] Hostname ssl.arkouthrie.com"; dns.query; content:"ssl.arkouthrie.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ssl\.arkouthrie\.com$/i"; classtype:trojan-activity; sid:4052291; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/130;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e130 [tlp:white] Outgoing HTTP Hostname ssl.arkouthrie.com"; flow:to_server,established; http.header; content: "Host|3a| ssl.arkouthrie.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ssl\.arkouthrie\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4052292; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/130;) alert dns any any -> any any (msg: "MISP e130 [tlp:white] Hostname s3.hiahornber.com"; dns.query; content:"s3.hiahornber.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])s3\.hiahornber\.com$/i"; classtype:trojan-activity; sid:4052301; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/130;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e130 [tlp:white] Outgoing HTTP Hostname s3.hiahornber.com"; flow:to_server,established; http.header; content: "Host|3a| s3.hiahornber.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])s3\.hiahornber\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4052302; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/130;) alert dns any any -> any any (msg: "MISP e130 [tlp:white] Hostname widget.shoreoa.com"; dns.query; content:"widget.shoreoa.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])widget\.shoreoa\.com$/i"; classtype:trojan-activity; sid:4052311; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/130;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e130 [tlp:white] Outgoing HTTP Hostname widget.shoreoa.com"; flow:to_server,established; http.header; content: "Host|3a| widget.shoreoa.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])widget\.shoreoa\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4052312; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/130;) alert ip $HOME_NET any -> 61.240.145.3 any (msg: "MISP e131 [tlp:white] Outgoing To IP: 61.240.145.3"; classtype:trojan-activity; sid:4052361; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/131;) alert ip $HOME_NET any -> 61.240.145.4 any (msg: "MISP e131 [tlp:white] Outgoing To IP: 61.240.145.4"; classtype:trojan-activity; sid:4052371; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/131;) alert ip $HOME_NET any -> 61.240.145.5 any (msg: "MISP e131 [tlp:white] Outgoing To IP: 61.240.145.5"; classtype:trojan-activity; sid:4052381; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/131;) alert ip $HOME_NET any -> 194.116.187.130 any (msg: "MISP e132 [tlp:white] Outgoing To IP: 194.116.187.130"; classtype:trojan-activity; sid:4052401; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/132;) alert dns any any -> any any (msg: "MISP e132 [tlp:white] Domain basedow-bilder.de"; dns.query; content:"basedow-bilder.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])basedow\-bilder\.de$/i"; classtype:trojan-activity; sid:4052411; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/132;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e132 [tlp:white] Outgoing HTTP Domain basedow-bilder.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"basedow-bilder.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])basedow\-bilder\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4052412; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/132;) alert ip $HOME_NET any -> 191.6.18.166 any (msg: "MISP e132 [tlp:white] Outgoing To IP: 191.6.18.166"; classtype:trojan-activity; sid:4052421; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/132;) alert ip $HOME_NET any -> 92.53.67.190 any (msg: "MISP e132 [tlp:white] Outgoing To IP: 92.53.67.190"; classtype:trojan-activity; sid:4052431; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/132;) alert ip $HOME_NET any -> 185.159.130.139 any (msg: "MISP e132 [tlp:white] Outgoing To IP: 185.159.130.139"; classtype:trojan-activity; sid:4052441; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/132;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e133 [tlp:white] Outgoing URL photobucket.com/user/nikkireed11/library"; flow:to_server,established; http.uri; content:"photobucket.com/user/nikkireed11/library"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4052481; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/133;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e133 [tlp:white] Outgoing URL photobucket.com/user/kmila302/library"; flow:to_server,established; http.uri; content:"photobucket.com/user/kmila302/library"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4052491; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/133;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e133 [tlp:white] Outgoing URL photobucket.com/user/lisabraun87/library"; flow:to_server,established; http.uri; content:"photobucket.com/user/lisabraun87/library"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4052501; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/133;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e133 [tlp:white] Outgoing URL photobucket.com/user/eva_green1/library"; flow:to_server,established; http.uri; content:"photobucket.com/user/eva_green1/library"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4052511; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/133;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e133 [tlp:white] Outgoing URL photobucket.com/user/monicabelci4/library"; flow:to_server,established; http.uri; content:"photobucket.com/user/monicabelci4/library"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4052521; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/133;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e133 [tlp:white] Outgoing URL photobucket.com/user/katyperry45/library"; flow:to_server,established; http.uri; content:"photobucket.com/user/katyperry45/library"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4052531; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/133;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e133 [tlp:white] Outgoing URL photobucket.com/user/saragray1/library"; flow:to_server,established; http.uri; content:"photobucket.com/user/saragray1/library"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4052541; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/133;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e133 [tlp:white] Outgoing URL photobucket.com/user/millerfred/library"; flow:to_server,established; http.uri; content:"photobucket.com/user/millerfred/library"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4052551; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/133;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e133 [tlp:white] Outgoing URL photobucket.com/user/jeniferaniston1/library"; flow:to_server,established; http.uri; content:"photobucket.com/user/jeniferaniston1/library"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4052561; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/133;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e133 [tlp:white] Outgoing URL photobucket.com/user/amandaseyfried1/library"; flow:to_server,established; http.uri; content:"photobucket.com/user/amandaseyfried1/library"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4052571; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/133;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e133 [tlp:white] Outgoing URL photobucket.com/user/suwe8/library"; flow:to_server,established; http.uri; content:"photobucket.com/user/suwe8/library"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4052581; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/133;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e133 [tlp:white] Outgoing URL photobucket.com/user/bob7301/library"; flow:to_server,established; http.uri; content:"photobucket.com/user/bob7301/library"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4052591; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/133;) alert dns any any -> any any (msg: "MISP e133 [tlp:white] Domain toknowall.com"; dns.query; content:"toknowall.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])toknowall\.com$/i"; classtype:trojan-activity; sid:4052601; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/133;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e133 [tlp:white] Outgoing HTTP Domain toknowall.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"toknowall.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])toknowall\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4052602; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/133;) alert ip $HOME_NET any -> 91.121.109.209 any (msg: "MISP e133 [tlp:white] Outgoing To IP: 91.121.109.209"; classtype:trojan-activity; sid:4052611; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/133;) alert ip $HOME_NET any -> 217.12.202.40 any (msg: "MISP e133 [tlp:white] Outgoing To IP: 217.12.202.40"; classtype:trojan-activity; sid:4052621; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/133;) alert ip $HOME_NET any -> 94.242.222.68 any (msg: "MISP e133 [tlp:white] Outgoing To IP: 94.242.222.68"; classtype:trojan-activity; sid:4052631; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/133;) alert ip $HOME_NET any -> 82.118.242.124 any (msg: "MISP e133 [tlp:white] Outgoing To IP: 82.118.242.124"; classtype:trojan-activity; sid:4052641; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/133;) alert ip $HOME_NET any -> 46.151.209.33 any (msg: "MISP e133 [tlp:white] Outgoing To IP: 46.151.209.33"; classtype:trojan-activity; sid:4052651; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/133;) alert ip $HOME_NET any -> 217.79.179.14 any (msg: "MISP e133 [tlp:white] Outgoing To IP: 217.79.179.14"; classtype:trojan-activity; sid:4052661; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/133;) alert ip $HOME_NET any -> 91.214.203.144 any (msg: "MISP e133 [tlp:white] Outgoing To IP: 91.214.203.144"; classtype:trojan-activity; sid:4052671; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/133;) alert ip $HOME_NET any -> 95.211.198.231 any (msg: "MISP e133 [tlp:white] Outgoing To IP: 95.211.198.231"; classtype:trojan-activity; sid:4052681; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/133;) alert ip $HOME_NET any -> 195.154.180.60 any (msg: "MISP e133 [tlp:white] Outgoing To IP: 195.154.180.60"; classtype:trojan-activity; sid:4052691; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/133;) alert ip $HOME_NET any -> 5.149.250.54 any (msg: "MISP e133 [tlp:white] Outgoing To IP: 5.149.250.54"; classtype:trojan-activity; sid:4052701; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/133;) alert ip $HOME_NET any -> 91.200.13.76 any (msg: "MISP e133 [tlp:white] Outgoing To IP: 91.200.13.76"; classtype:trojan-activity; sid:4052711; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/133;) alert ip $HOME_NET any -> 94.185.80.82 any (msg: "MISP e133 [tlp:white] Outgoing To IP: 94.185.80.82"; classtype:trojan-activity; sid:4052721; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/133;) alert ip $HOME_NET any -> 62.210.180.229 any (msg: "MISP e133 [tlp:white] Outgoing To IP: 62.210.180.229"; classtype:trojan-activity; sid:4052731; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/133;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e133 [tlp:white] Outgoing URL zuh3vcyskd4gipkm.onion/bin32/update.php"; flow:to_server,established; http.uri; content:"zuh3vcyskd4gipkm.onion/bin32/update.php"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4052741; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/133;) alert ip $HOME_NET any -> 206.189.147.254 any (msg: "MISP e134 [tlp:white] Outgoing To IP: 206.189.147.254"; classtype:trojan-activity; sid:4053261; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/134;) alert ip $HOME_NET any -> 95.142.40.187 any (msg: "MISP e134 [tlp:white] Outgoing To IP: 95.142.40.187"; classtype:trojan-activity; sid:4053271; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/134;) alert ip $HOME_NET any -> 95.142.40.185 any (msg: "MISP e134 [tlp:white] Outgoing To IP: 95.142.40.185"; classtype:trojan-activity; sid:4053281; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/134;) alert ip $HOME_NET any -> 95.142.40.184 any (msg: "MISP e134 [tlp:white] Outgoing To IP: 95.142.40.184"; classtype:trojan-activity; sid:4053291; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/134;) alert ip $HOME_NET any -> 46.30.42.164 any (msg: "MISP e134 [tlp:white] Outgoing To IP: 46.30.42.164"; classtype:trojan-activity; sid:4053301; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/134;) alert ip $HOME_NET any -> 104.239.213.7 any (msg: "MISP e134 [tlp:white] Outgoing To IP: 104.239.213.7"; classtype:trojan-activity; sid:4053331; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/134;) alert dns any any -> any any (msg: "MISP e134 [tlp:white] Domain vnz2107.ru"; dns.query; content:"vnz2107.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])vnz2107\.ru$/i"; classtype:trojan-activity; sid:4053341; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/134;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e134 [tlp:white] Outgoing HTTP Domain vnz2107.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vnz2107.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vnz2107\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4053342; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/134;) alert dns any any -> any any (msg: "MISP e135 [tlp:white] Domain cityofdifferentips.gq"; dns.query; content:"cityofdifferentips.gq"; nocase; pcre: "/(^|[^A-Za-z0-9-])cityofdifferentips\.gq$/i"; classtype:trojan-activity; sid:4053361; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/135;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e135 [tlp:white] Outgoing HTTP Domain cityofdifferentips.gq"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cityofdifferentips.gq"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cityofdifferentips\.gq[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4053362; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/135;) alert dns any any -> any any (msg: "MISP e135 [tlp:white] Domain winterforcing.info"; dns.query; content:"winterforcing.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])winterforcing\.info$/i"; classtype:trojan-activity; sid:4053371; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/135;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e135 [tlp:white] Outgoing HTTP Domain winterforcing.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"winterforcing.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])winterforcing\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4053372; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/135;) alert dns any any -> any any (msg: "MISP e135 [tlp:white] Domain wolahedbune.com"; dns.query; content:"wolahedbune.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])wolahedbune\.com$/i"; classtype:trojan-activity; sid:4053381; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/135;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e135 [tlp:white] Outgoing HTTP Domain wolahedbune.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wolahedbune.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wolahedbune\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4053382; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/135;) alert http $HOME_NET any -> 37.48.125.107 $HTTP_PORTS (msg: "MISP e135 [tlp:white] Outgoing URL http|3a|//37.48.125.107/hero.exe"; flow:to_server,established; http.header; content:"37.48.125.107"; fast_pattern; nocase; http.uri; content:"/hero.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4053391; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/135;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e135 [tlp:white] Outgoing URL http|3a|//www.abhinish.com/wp-content/plugins/js_composer/assets/lib/prettyphoto/images/g_frugality_patholytic.html"; flow:to_server,established; http.header; content:"www.abhinish.com"; fast_pattern; nocase; http.uri; content:"/wp-content/plugins/js_composer/assets/lib/prettyphoto/images/g_frugality_patholytic.html"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4053401; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/135;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e135 [tlp:white] Outgoing URL http|3a|//www.applauce.no/modules/mod_ariimageslidersa/w_aureous_vertically.html"; flow:to_server,established; http.header; content:"www.applauce.no"; fast_pattern; nocase; http.uri; content:"/modules/mod_ariimageslidersa/w_aureous_vertically.html"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4053411; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/135;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e135 [tlp:white] Outgoing URL http|3a|//www.bizplace.co.uk/ghhgtr65d/f_balaenoid_Jordanian.html"; flow:to_server,established; http.header; content:"www.bizplace.co.uk"; fast_pattern; nocase; http.uri; content:"/ghhgtr65d/f_balaenoid_Jordanian.html"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4053421; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/135;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e135 [tlp:white] Outgoing URL http|3a|//www.brigittenyc.com/P_neurocardiac_crippledom.html"; flow:to_server,established; http.header; content:"www.brigittenyc.com"; fast_pattern; nocase; http.uri; content:"/P_neurocardiac_crippledom.html"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4053431; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/135;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e135 [tlp:white] Outgoing URL http|3a|//www.dannemking.com.au/loggers/F_strong_corollated.html"; flow:to_server,established; http.header; content:"www.dannemking.com.au"; fast_pattern; nocase; http.uri; content:"/loggers/F_strong_corollated.html"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4053441; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/135;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e135 [tlp:white] Outgoing URL http|3a|//www.dilsedilli.com/wp-content/plugins/unyson/framework/includes/container-types/box/Q_disprepare_rime.html"; flow:to_server,established; http.header; content:"www.dilsedilli.com"; fast_pattern; nocase; http.uri; content:"/wp-content/plugins/unyson/framework/includes/container-types/box/Q_disprepare_rime.html"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4053451; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/135;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e135 [tlp:white] Outgoing URL http|3a|//www.maratonianos.es/d_urushi_naphthalenoid.html"; flow:to_server,established; http.header; content:"www.maratonianos.es"; fast_pattern; nocase; http.uri; content:"/d_urushi_naphthalenoid.html"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4053461; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/135;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e135 [tlp:white] Outgoing URL http|3a|//www.rentcar.pl//blog/wp-content/uploads/2018/05/p_Petrinist_vacuefy.html"; flow:to_server,established; http.header; content:"www.rentcar.pl"; fast_pattern; nocase; http.uri; content:"//blog/wp-content/uploads/2018/05/p_Petrinist_vacuefy.html"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4053471; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/135;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e135 [tlp:white] Outgoing URL http|3a|//www.rgriggsphoto.com/i_unpitying_skibby.html"; flow:to_server,established; http.header; content:"www.rgriggsphoto.com"; fast_pattern; nocase; http.uri; content:"/i_unpitying_skibby.html"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4053481; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/135;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e135 [tlp:white] Outgoing URL http|3a|//www.tinkhuyenmai99.com/wp-content/uploads/p_overstately_monodromic.html"; flow:to_server,established; http.header; content:"www.tinkhuyenmai99.com"; fast_pattern; nocase; http.uri; content:"/wp-content/uploads/p_overstately_monodromic.html"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4053491; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/135;) alert ip $HOME_NET any -> 85.18.199.251 any (msg: "MISP e135 [tlp:white] Outgoing To IP: 85.18.199.251"; classtype:trojan-activity; sid:4053501; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/135;) alert ip $HOME_NET any -> 111.118.215.40 any (msg: "MISP e135 [tlp:white] Outgoing To IP: 111.118.215.40"; classtype:trojan-activity; sid:4053511; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/135;) alert ip $HOME_NET any -> 46.30.42.66 any (msg: "MISP e135 [tlp:white] Outgoing To IP: 46.30.42.66"; classtype:trojan-activity; sid:4053521; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/135;) alert ip $HOME_NET any -> 185.224.249.152 any (msg: "MISP e135 [tlp:white] Outgoing To IP: 185.224.249.152"; classtype:trojan-activity; sid:4053531; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/135;) alert ip $HOME_NET any -> 37.48.125.107 any (msg: "MISP e135 [tlp:white] Outgoing To IP: 37.48.125.107"; classtype:trojan-activity; sid:4053541; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/135;) alert ip $HOME_NET any -> 37.48.125.114 any (msg: "MISP e135 [tlp:white] Outgoing To IP: 37.48.125.114"; classtype:trojan-activity; sid:4053551; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/135;) alert dns any any -> any any (msg: "MISP e136 [tlp:white] Domain taxhuge.com"; dns.query; content:"taxhuge.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])taxhuge\.com$/i"; classtype:trojan-activity; sid:4053601; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/136;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e136 [tlp:white] Outgoing HTTP Domain taxhuge.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"taxhuge.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])taxhuge\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4053602; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/136;) alert ip $HOME_NET any -> 149.56.159.203 any (msg: "MISP e136 [tlp:white] Outgoing To IP: 149.56.159.203"; classtype:trojan-activity; sid:4053611; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/136;) alert dns any any -> any any (msg: "MISP e136 [tlp:white] Hostname 69j366ma35.fedpart.website"; dns.query; content:"69j366ma35.fedpart.website"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])69j366ma35\.fedpart\.website$/i"; classtype:trojan-activity; sid:4053621; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/136;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e136 [tlp:white] Outgoing HTTP Hostname 69j366ma35.fedpart.website"; flow:to_server,established; http.header; content: "Host|3a| 69j366ma35.fedpart.website"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])69j366ma35\.fedpart\.website[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4053622; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/136;) alert ip $HOME_NET any -> 167.114.33.110 any (msg: "MISP e136 [tlp:white] Outgoing To IP: 167.114.33.110"; classtype:trojan-activity; sid:4053631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/136;) alert dns any any -> any any (msg: "MISP e136 [tlp:white] Hostname a23e5cwd602oe46d.addrole.space"; dns.query; content:"a23e5cwd602oe46d.addrole.space"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])a23e5cwd602oe46d\.addrole\.space$/i"; classtype:trojan-activity; sid:4053641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/136;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e136 [tlp:white] Outgoing HTTP Hostname a23e5cwd602oe46d.addrole.space"; flow:to_server,established; http.header; content: "Host|3a| a23e5cwd602oe46d.addrole.space"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])a23e5cwd602oe46d\.addrole\.space[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4053642; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/136;) alert ip $HOME_NET any -> 167.114.191.124 any (msg: "MISP e136 [tlp:white] Outgoing To IP: 167.114.191.124"; classtype:trojan-activity; sid:4053651; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/136;) alert ip $HOME_NET any -> 139.60.161.51 any (msg: "MISP e136 [tlp:white] Outgoing To IP: 139.60.161.51"; classtype:trojan-activity; sid:4053681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/136;) alert ip $HOME_NET any -> 54.37.57.152 any (msg: "MISP e136 [tlp:white] Outgoing To IP: 54.37.57.152"; classtype:trojan-activity; sid:4053691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/136;) alert ip $HOME_NET any -> 185.244.150.110 any (msg: "MISP e136 [tlp:white] Outgoing To IP: 185.244.150.110"; classtype:trojan-activity; sid:4053701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/136;) alert ip $HOME_NET any -> 64.188.10.44 any (msg: "MISP e136 [tlp:white] Outgoing To IP: 64.188.10.44"; classtype:trojan-activity; sid:4053711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/136;) alert dns any any -> any any (msg: "MISP e137 [tlp:white] Domain autosoundcheckers.com"; dns.query; content:"autosoundcheckers.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])autosoundcheckers\.com$/i"; classtype:trojan-activity; sid:4053761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/137;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e137 [tlp:white] Outgoing HTTP Domain autosoundcheckers.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"autosoundcheckers.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])autosoundcheckers\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4053762; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/137;) alert dns any any -> any any (msg: "MISP e138 [tlp:white] Hostname buy.healthcare-internet.com"; dns.query; content:"buy.healthcare-internet.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])buy\.healthcare\-internet\.com$/i"; classtype:trojan-activity; sid:4053831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/138;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e138 [tlp:white] Outgoing HTTP Hostname buy.healthcare-internet.com"; flow:to_server,established; http.header; content: "Host|3a| buy.healthcare-internet.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])buy\.healthcare\-internet\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4053832; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/138;) alert ip $HOME_NET any -> 188.225.37.242 any (msg: "MISP e140 [tlp:white] Outgoing To IP: 188.225.37.242"; classtype:trojan-activity; sid:4054201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/140;) alert ip $HOME_NET any -> 193.23.181.154 any (msg: "MISP e140 [tlp:white] Outgoing To IP: 193.23.181.154"; classtype:trojan-activity; sid:4054211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/140;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e140 [tlp:white] Outgoing URL 193.23.181.154/crypto/?placement=198395354"; flow:to_server,established; http.uri; content:"193.23.181.154/crypto/?placement=198395354"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4054221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/140;) alert ip $HOME_NET any -> 54.37.57.152 any (msg: "MISP e140 [tlp:white] Outgoing To IP: 54.37.57.152"; classtype:trojan-activity; sid:4054241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/140;) alert ip $HOME_NET any -> 64.188.10.44 any (msg: "MISP e140 [tlp:white] Outgoing To IP: 64.188.10.44"; classtype:trojan-activity; sid:4054251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/140;) alert ip $HOME_NET any -> 139.60.161.51 any (msg: "MISP e140 [tlp:white] Outgoing To IP: 139.60.161.51"; classtype:trojan-activity; sid:4054261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/140;) alert ip $HOME_NET any -> 149.56.159.203 any (msg: "MISP e140 [tlp:white] Outgoing To IP: 149.56.159.203"; classtype:trojan-activity; sid:4054271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/140;) alert ip $HOME_NET any -> 167.114.191.124 any (msg: "MISP e140 [tlp:white] Outgoing To IP: 167.114.191.124"; classtype:trojan-activity; sid:4054281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/140;) alert ip $HOME_NET any -> 167.114.33.110 any (msg: "MISP e140 [tlp:white] Outgoing To IP: 167.114.33.110"; classtype:trojan-activity; sid:4054291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/140;) alert ip $HOME_NET any -> 185.244.150.110 any (msg: "MISP e140 [tlp:white] Outgoing To IP: 185.244.150.110"; classtype:trojan-activity; sid:4054301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/140;) alert dns any any -> any any (msg: "MISP e140 [tlp:white] Domain fedpart.website"; dns.query; content:"fedpart.website"; nocase; pcre: "/(^|[^A-Za-z0-9-])fedpart\.website$/i"; classtype:trojan-activity; sid:4054311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/140;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e140 [tlp:white] Outgoing HTTP Domain fedpart.website"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fedpart.website"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fedpart\.website[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4054312; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/140;) alert dns any any -> any any (msg: "MISP e140 [tlp:white] Domain addrole.space"; dns.query; content:"addrole.space"; nocase; pcre: "/(^|[^A-Za-z0-9-])addrole\.space$/i"; classtype:trojan-activity; sid:4054321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/140;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e140 [tlp:white] Outgoing HTTP Domain addrole.space"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"addrole.space"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])addrole\.space[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4054322; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/140;) alert dns any any -> any any (msg: "MISP e140 [tlp:white] Domain taxhuge.com"; dns.query; content:"taxhuge.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])taxhuge\.com$/i"; classtype:trojan-activity; sid:4054331; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/140;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e140 [tlp:white] Outgoing HTTP Domain taxhuge.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"taxhuge.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])taxhuge\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4054332; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/140;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e140 [tlp:white] Outgoing URL 91.210.104.247/debug.txt"; flow:to_server,established; http.uri; content:"91.210.104.247/debug.txt"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4054341; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/140;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e140 [tlp:white] Outgoing URL 91.210.104.247/putty.exe"; flow:to_server,established; http.uri; content:"91.210.104.247/putty.exe"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4054351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/140;) alert ip $HOME_NET any -> 200.74.240.219 any (msg: "MISP e140 [tlp:white] Outgoing To IP: 200.74.240.219"; classtype:trojan-activity; sid:4054361; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/140;) alert dns any any -> any any (msg: "MISP e140 [tlp:white] Hostname ethical-buyback.lesbianssahgbrewingqzw.xyz"; dns.query; content:"ethical-buyback.lesbianssahgbrewingqzw.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ethical\-buyback\.lesbianssahgbrewingqzw\.xyz$/i"; classtype:trojan-activity; sid:4054371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/140;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e140 [tlp:white] Outgoing HTTP Hostname ethical-buyback.lesbianssahgbrewingqzw.xyz"; flow:to_server,established; http.header; content: "Host|3a| ethical-buyback.lesbianssahgbrewingqzw.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ethical\-buyback\.lesbianssahgbrewingqzw\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4054372; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/140;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e140 [tlp:white] Outgoing URL ethical-buyback.lesbianssahgbrewingqzw.xyz/masking_celebration-skies"; flow:to_server,established; http.uri; content:"ethical-buyback.lesbianssahgbrewingqzw.xyz/masking_celebration-skies"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4054381; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/140;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e140 [tlp:white] Outgoing URL papconnecting.net/wp-content/traffic.php"; flow:to_server,established; http.uri; content:"papconnecting.net/wp-content/traffic.php"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4054391; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/140;) alert ip $HOME_NET any -> 89.46.222.97 any (msg: "MISP e141 [tlp:white] Outgoing To IP: 89.46.222.97"; classtype:trojan-activity; sid:4054431; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/141;) alert dns any any -> any any (msg: "MISP e141 [tlp:white] Hostname www.facebook-apps.com"; dns.query; content:"www.facebook-apps.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.facebook\-apps\.com$/i"; classtype:trojan-activity; sid:4054481; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/141;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e141 [tlp:white] Outgoing HTTP Hostname www.facebook-apps.com"; flow:to_server,established; http.header; content: "Host|3a| www.facebook-apps.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.facebook\-apps\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4054482; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/141;) alert dns any any -> any any (msg: "MISP e141 [tlp:white] Hostname dlj40s.jdanief.xyz"; dns.query; content:"dlj40s.jdanief.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dlj40s\.jdanief\.xyz$/i"; classtype:trojan-activity; sid:4054491; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/141;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e141 [tlp:white] Outgoing HTTP Hostname dlj40s.jdanief.xyz"; flow:to_server,established; http.header; content: "Host|3a| dlj40s.jdanief.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dlj40s\.jdanief\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4054492; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/141;) alert ip $HOME_NET any -> 199.247.6.253 any (msg: "MISP e141 [tlp:white] Outgoing To IP: 199.247.6.253"; classtype:trojan-activity; sid:4054521; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/141;) alert ip $HOME_NET any -> 45.76.176.236 any (msg: "MISP e141 [tlp:white] Outgoing To IP: 45.76.176.236"; classtype:trojan-activity; sid:4054531; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/141;) alert dns any any -> any any (msg: "MISP e141 [tlp:white] Hostname goole.authorizeddns.us"; dns.query; content:"goole.authorizeddns.us"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])goole\.authorizeddns\.us$/i"; classtype:trojan-activity; sid:4054561; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/141;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e141 [tlp:white] Outgoing HTTP Hostname goole.authorizeddns.us"; flow:to_server,established; http.header; content: "Host|3a| goole.authorizeddns.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])goole\.authorizeddns\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4054562; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/141;) alert ip $HOME_NET any -> 103.75.189.74 any (msg: "MISP e141 [tlp:white] Outgoing To IP: 103.75.189.74"; classtype:trojan-activity; sid:4054571; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/141;) alert ip $HOME_NET any -> 131.153.48.146 any (msg: "MISP e141 [tlp:white] Outgoing To IP: 131.153.48.146"; classtype:trojan-activity; sid:4054581; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/141;) alert dns any any -> any any (msg: "MISP e141 [tlp:white] Hostname microsoft.authorizeddns.us"; dns.query; content:"microsoft.authorizeddns.us"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])microsoft\.authorizeddns\.us$/i"; classtype:trojan-activity; sid:4054601; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/141;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e141 [tlp:white] Outgoing HTTP Hostname microsoft.authorizeddns.us"; flow:to_server,established; http.header; content: "Host|3a| microsoft.authorizeddns.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])microsoft\.authorizeddns\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4054602; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/141;) alert ip $HOME_NET any -> 103.75.191.177 any (msg: "MISP e141 [tlp:white] Outgoing To IP: 103.75.191.177"; classtype:trojan-activity; sid:4054611; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/141;) alert ip $HOME_NET any -> 103.75.191.75 any (msg: "MISP e141 [tlp:white] Outgoing To IP: 103.75.191.75"; classtype:trojan-activity; sid:4054691; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/141;) alert dns any any -> any any (msg: "MISP e141 [tlp:white] Hostname ftp.chinhphu.ddns.ms"; dns.query; content:"ftp.chinhphu.ddns.ms"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ftp\.chinhphu\.ddns\.ms$/i"; classtype:trojan-activity; sid:4054761; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/141;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e141 [tlp:white] Outgoing HTTP Hostname ftp.chinhphu.ddns.ms"; flow:to_server,established; http.header; content: "Host|3a| ftp.chinhphu.ddns.ms"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ftp\.chinhphu\.ddns\.ms[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4054762; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/141;) alert dns any any -> any any (msg: "MISP e141 [tlp:white] Hostname www.microsoft.https443.org"; dns.query; content:"www.microsoft.https443.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.microsoft\.https443\.org$/i"; classtype:trojan-activity; sid:4054781; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/141;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e141 [tlp:white] Outgoing HTTP Hostname www.microsoft.https443.org"; flow:to_server,established; http.header; content: "Host|3a| www.microsoft.https443.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.microsoft\.https443\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4054782; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/141;) alert ip $HOME_NET any -> 45.121.146.26 any (msg: "MISP e141 [tlp:white] Outgoing To IP: 45.121.146.26"; classtype:trojan-activity; sid:4054791; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/141;) alert dns any any -> any any (msg: "MISP e141 [tlp:white] Hostname msdns.otzo.com"; dns.query; content:"msdns.otzo.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])msdns\.otzo\.com$/i"; classtype:trojan-activity; sid:4054811; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/141;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e141 [tlp:white] Outgoing HTTP Hostname msdns.otzo.com"; flow:to_server,established; http.header; content: "Host|3a| msdns.otzo.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])msdns\.otzo\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4054812; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/141;) alert dns any any -> any any (msg: "MISP e142 [tlp:white] Domain okipanelhostingpanel.gq"; dns.query; content:"okipanelhostingpanel.gq"; nocase; pcre: "/(^|[^A-Za-z0-9-])okipanelhostingpanel\.gq$/i"; classtype:trojan-activity; sid:4054841; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/142;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e142 [tlp:white] Outgoing HTTP Domain okipanelhostingpanel.gq"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"okipanelhostingpanel.gq"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])okipanelhostingpanel\.gq[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4054842; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/142;) alert dns any any -> any any (msg: "MISP e142 [tlp:white] Domain stellarball.com"; dns.query; content:"stellarball.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])stellarball\.com$/i"; classtype:trojan-activity; sid:4054851; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/142;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e142 [tlp:white] Outgoing HTTP Domain stellarball.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"stellarball.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])stellarball\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4054852; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/142;) alert dns any any -> any any (msg: "MISP e142 [tlp:white] Domain stemtopx.com"; dns.query; content:"stemtopx.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])stemtopx\.com$/i"; classtype:trojan-activity; sid:4054861; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/142;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e142 [tlp:white] Outgoing HTTP Domain stemtopx.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"stemtopx.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])stemtopx\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4054862; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/142;) alert dns any any -> any any (msg: "MISP e142 [tlp:white] Domain stevemike-fireforce.info"; dns.query; content:"stevemike-fireforce.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])stevemike\-fireforce\.info$/i"; classtype:trojan-activity; sid:4054871; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/142;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e142 [tlp:white] Outgoing HTTP Domain stevemike-fireforce.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"stevemike-fireforce.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])stevemike\-fireforce\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4054872; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/142;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e142 [tlp:white] Outgoing URL http|3a|//bit.ly/ASD8239ASdmkWi38AS"; flow:to_server,established; http.header; content:"bit.ly"; fast_pattern; nocase; http.uri; content:"/ASD8239ASdmkWi38AS"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4054881; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/142;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e142 [tlp:white] Outgoing URL http|3a|//bit.ly/loadingpleaswaitrr"; flow:to_server,established; http.header; content:"bit.ly"; fast_pattern; nocase; http.uri; content:"/loadingpleaswaitrr"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4054891; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/142;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e142 [tlp:white] Outgoing URL http|3a|//bit.ly/Loadingwaitplez"; flow:to_server,established; http.header; content:"bit.ly"; fast_pattern; nocase; http.uri; content:"/Loadingwaitplez"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4054901; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/142;) alert dns any any -> any any (msg: "MISP e143 [tlp:white] Domain ios-certificate-update.com"; dns.query; content:"ios-certificate-update.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ios\-certificate\-update\.com$/i"; classtype:trojan-activity; sid:4055141; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/143;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e143 [tlp:white] Outgoing HTTP Domain ios-certificate-update.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ios-certificate-update.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ios\-certificate\-update\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4055142; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/143;) alert dns any any -> any any (msg: "MISP e143 [tlp:white] Hostname www.wpitcher.com"; dns.query; content:"www.wpitcher.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.wpitcher\.com$/i"; classtype:trojan-activity; sid:4055151; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/143;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e143 [tlp:white] Outgoing HTTP Hostname www.wpitcher.com"; flow:to_server,established; http.header; content: "Host|3a| www.wpitcher.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.wpitcher\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4055152; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/143;) alert dns any any -> any any (msg: "MISP e143 [tlp:white] Domain voguextra.com"; dns.query; content:"voguextra.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])voguextra\.com$/i"; classtype:trojan-activity; sid:4055161; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/143;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e143 [tlp:white] Outgoing HTTP Domain voguextra.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"voguextra.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])voguextra\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4055162; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/143;) alert dns any any -> any any (msg: "MISP e143 [tlp:white] Domain techwach.com"; dns.query; content:"techwach.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])techwach\.com$/i"; classtype:trojan-activity; sid:4055171; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/143;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e143 [tlp:white] Outgoing HTTP Domain techwach.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"techwach.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])techwach\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4055172; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/143;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e144 [tlp:white] Outgoing URL http|3a|//vps11240.hyperhost.name/escape/[some_font_package].msi"; flow:to_server,established; http.header; content:"vps11240.hyperhost.name"; fast_pattern; nocase; http.uri; content:"/escape/[some_font_package].msi"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4055261; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/144;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e144 [tlp:white] Outgoing URL http|3a|//data28.somee"; flow:to_server,established; http.header; content:"data28.somee"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4055271; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/144;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e144 [tlp:white] Outgoing URL http|3a|//carma666.byethost12"; flow:to_server,established; http.header; content:"carma666.byethost12"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4055281; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/144;) alert dns any any -> any any (msg: "MISP e145 [tlp:white] Hostname tamboresdelcomahue.com.ar"; dns.query; content:"tamboresdelcomahue.com.ar"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])tamboresdelcomahue\.com\.ar$/i"; classtype:trojan-activity; sid:4055291; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/145;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e145 [tlp:white] Outgoing HTTP Hostname tamboresdelcomahue.com.ar"; flow:to_server,established; http.header; content: "Host|3a| tamboresdelcomahue.com.ar"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])tamboresdelcomahue\.com\.ar[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4055292; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/145;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e145 [tlp:white] Outgoing URL http|3a|//tamboresdelcomahue.com.ar/files/bill.php"; flow:to_server,established; http.header; content:"tamboresdelcomahue.com.ar"; fast_pattern; nocase; http.uri; content:"/files/bill.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4055301; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/145;) alert dns any any -> any any (msg: "MISP e146 [tlp:white] Domain adobe-flash.us"; dns.query; content:"adobe-flash.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])adobe\-flash\.us$/i"; classtype:trojan-activity; sid:4055811; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/146;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e146 [tlp:white] Outgoing HTTP Domain adobe-flash.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"adobe-flash.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])adobe\-flash\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4055812; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/146;) alert dns any any -> any any (msg: "MISP e146 [tlp:white] Domain ilhost.in"; dns.query; content:"ilhost.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])ilhost\.in$/i"; classtype:trojan-activity; sid:4055821; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/146;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e146 [tlp:white] Outgoing HTTP Domain ilhost.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ilhost.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ilhost\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4055822; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/146;) alert dns any any -> any any (msg: "MISP e146 [tlp:white] Domain iqhost.us"; dns.query; content:"iqhost.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])iqhost\.us$/i"; classtype:trojan-activity; sid:4055831; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/146;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e146 [tlp:white] Outgoing HTTP Domain iqhost.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"iqhost.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])iqhost\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4055832; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/146;) alert dns any any -> any any (msg: "MISP e146 [tlp:white] Domain offiice365.us"; dns.query; content:"offiice365.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])offiice365\.us$/i"; classtype:trojan-activity; sid:4055841; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/146;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e146 [tlp:white] Outgoing HTTP Domain offiice365.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"offiice365.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])offiice365\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4055842; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/146;) alert dns any any -> any any (msg: "MISP e146 [tlp:white] Domain adobe-plugin.bid"; dns.query; content:"adobe-plugin.bid"; nocase; pcre: "/(^|[^A-Za-z0-9-])adobe\-plugin\.bid$/i"; classtype:trojan-activity; sid:4055851; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/146;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e146 [tlp:white] Outgoing HTTP Domain adobe-plugin.bid"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"adobe-plugin.bid"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])adobe\-plugin\.bid[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4055852; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/146;) alert dns any any -> any any (msg: "MISP e146 [tlp:white] Domain microsoft-office-free-templates.in"; dns.query; content:"microsoft-office-free-templates.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])microsoft\-office\-free\-templates\.in$/i"; classtype:trojan-activity; sid:4055861; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/146;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e146 [tlp:white] Outgoing HTTP Domain microsoft-office-free-templates.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"microsoft-office-free-templates.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])microsoft\-office\-free\-templates\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4055862; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/146;) alert dns any any -> any any (msg: "MISP e146 [tlp:white] Domain microsoft-office-free-templates-download.btc-int.in"; dns.query; content:"microsoft-office-free-templates-download.btc-int.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])microsoft\-office\-free\-templates\-download\.btc\-int\.in$/i"; classtype:trojan-activity; sid:4055871; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/146;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e146 [tlp:white] Outgoing HTTP Domain microsoft-office-free-templates-download.btc-int.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"microsoft-office-free-templates-download.btc-int.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])microsoft\-office\-free\-templates\-download\.btc\-int\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4055872; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/146;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e146 [tlp:white] Outgoing URL 51.254.173.240/file.gif"; flow:to_server,established; http.uri; content:"51.254.173.240/file.gif"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4055881; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/146;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e146 [tlp:white] Outgoing URL adobe-plugin.bid/file.gif"; flow:to_server,established; http.uri; content:"adobe-plugin.bid/file.gif"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4055891; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/146;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e146 [tlp:white] Outgoing URL 188.165.187.235/file.gif"; flow:to_server,established; http.uri; content:"188.165.187.235/file.gif"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4055901; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/146;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e147 [tlp:white] Source Email Address: dhlexpress@paperattention.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"dhlexpress@paperattention.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4055931; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/147;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e147 [tlp:white] Outgoing URL http|3a|//www.rebrand.ly/dokom91cee"; flow:to_server,established; http.header; content:"www.rebrand.ly"; fast_pattern; nocase; http.uri; content:"/dokom91cee"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4055941; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/147;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e147 [tlp:white] Outgoing URL https|3a|//a.doko.moe/bfmcuy.zip"; tls.sni; content:"a.doko.moe"; tag:session,600,seconds; classtype:trojan-activity; sid:4055951; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/147;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e147 [tlp:white] Outgoing URL http|3a|//mydocuments1.is/1//T/nw2lA"; flow:to_server,established; http.header; content:"mydocuments1.is"; fast_pattern; nocase; http.uri; content:"/1//T/nw2lA"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4056001; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/147;) alert ip $HOME_NET any -> 107.181.160.197 any (msg: "MISP e150 [tlp:white] Outgoing To IP: 107.181.160.197"; classtype:trojan-activity; sid:4056791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/150;) alert dns any any -> any any (msg: "MISP e150 [tlp:white] Hostname asq.r77vh0.pw"; dns.query; content:"asq.r77vh0.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])asq\.r77vh0\.pw$/i"; classtype:trojan-activity; sid:4056801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/150;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e150 [tlp:white] Outgoing HTTP Hostname asq.r77vh0.pw"; flow:to_server,established; http.header; content: "Host|3a| asq.r77vh0.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])asq\.r77vh0\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4056802; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/150;) alert dns any any -> any any (msg: "MISP e151 [tlp:white] Domain newsrental.net"; dns.query; content:"newsrental.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])newsrental\.net$/i"; classtype:trojan-activity; sid:4056911; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/151;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e151 [tlp:white] Outgoing HTTP Domain newsrental.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"newsrental.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])newsrental\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4056912; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/151;) alert dns any any -> any any (msg: "MISP e151 [tlp:white] Domain rosbusiness.eu"; dns.query; content:"rosbusiness.eu"; nocase; pcre: "/(^|[^A-Za-z0-9-])rosbusiness\.eu$/i"; classtype:trojan-activity; sid:4056921; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/151;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e151 [tlp:white] Outgoing HTTP Domain rosbusiness.eu"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"rosbusiness.eu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])rosbusiness\.eu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4056922; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/151;) alert dns any any -> any any (msg: "MISP e151 [tlp:white] Domain afishaonline.eu"; dns.query; content:"afishaonline.eu"; nocase; pcre: "/(^|[^A-Za-z0-9-])afishaonline\.eu$/i"; classtype:trojan-activity; sid:4056931; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/151;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e151 [tlp:white] Outgoing HTTP Domain afishaonline.eu"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"afishaonline.eu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])afishaonline\.eu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4056932; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/151;) alert dns any any -> any any (msg: "MISP e151 [tlp:white] Domain sports-collectors.com"; dns.query; content:"sports-collectors.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sports\-collectors\.com$/i"; classtype:trojan-activity; sid:4056941; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/151;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e151 [tlp:white] Outgoing HTTP Domain sports-collectors.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sports-collectors.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sports\-collectors\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4056942; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/151;) alert ip $HOME_NET any -> 27.102.106.149 any (msg: "MISP e151 [tlp:white] Outgoing To IP: 27.102.106.149"; classtype:trojan-activity; sid:4056951; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/151;) alert dns any any -> any any (msg: "MISP e152 [tlp:white] Hostname top.haletteompson.com"; dns.query; content:"top.haletteompson.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])top\.haletteompson\.com$/i"; classtype:trojan-activity; sid:4056971; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/152;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e152 [tlp:white] Outgoing HTTP Hostname top.haletteompson.com"; flow:to_server,established; http.header; content: "Host|3a| top.haletteompson.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])top\.haletteompson\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4056972; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/152;) alert dns any any -> any any (msg: "MISP e152 [tlp:white] Hostname trade.andrewabendroth.com"; dns.query; content:"trade.andrewabendroth.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])trade\.andrewabendroth\.com$/i"; classtype:trojan-activity; sid:4056981; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/152;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e152 [tlp:white] Outgoing HTTP Hostname trade.andrewabendroth.com"; flow:to_server,established; http.header; content: "Host|3a| trade.andrewabendroth.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])trade\.andrewabendroth\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4056982; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/152;) alert dns any any -> any any (msg: "MISP e152 [tlp:white] Hostname press.eonhep.com"; dns.query; content:"press.eonhep.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])press\.eonhep\.com$/i"; classtype:trojan-activity; sid:4056991; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/152;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e152 [tlp:white] Outgoing HTTP Hostname press.eonhep.com"; flow:to_server,established; http.header; content: "Host|3a| press.eonhep.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])press\.eonhep\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4056992; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/152;) alert dns any any -> any any (msg: "MISP e152 [tlp:white] Hostname editor.akotae.com"; dns.query; content:"editor.akotae.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])editor\.akotae\.com$/i"; classtype:trojan-activity; sid:4057001; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/152;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e152 [tlp:white] Outgoing HTTP Hostname editor.akotae.com"; flow:to_server,established; http.header; content: "Host|3a| editor.akotae.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])editor\.akotae\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4057002; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/152;) alert dns any any -> any any (msg: "MISP e152 [tlp:white] Hostname web.reeglais.com"; dns.query; content:"web.reeglais.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])web\.reeglais\.com$/i"; classtype:trojan-activity; sid:4057011; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/152;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e152 [tlp:white] Outgoing HTTP Hostname web.reeglais.com"; flow:to_server,established; http.header; content: "Host|3a| web.reeglais.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])web\.reeglais\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4057012; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/152;) alert ip $HOME_NET any -> 184.95.48.12 any (msg: "MISP e152 [tlp:white] Outgoing To IP: 184.95.48.12"; classtype:trojan-activity; sid:4057021; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/152;) alert ip $HOME_NET any -> 104.237.218.82 any (msg: "MISP e152 [tlp:white] Outgoing To IP: 104.237.218.82"; classtype:trojan-activity; sid:4057031; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/152;) alert ip $HOME_NET any -> 104.237.218.85 any (msg: "MISP e152 [tlp:white] Outgoing To IP: 104.237.218.85"; classtype:trojan-activity; sid:4057041; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/152;) alert ip $HOME_NET any -> 66.85.157.90 any (msg: "MISP e152 [tlp:white] Outgoing To IP: 66.85.157.90"; classtype:trojan-activity; sid:4057051; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/152;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e154 [tlp:white] Outgoing URL http|3a|//wetnosesandwhiskers.com/driverfix30e45vers.exe"; flow:to_server,established; http.header; content:"wetnosesandwhiskers.com"; fast_pattern; nocase; http.uri; content:"/driverfix30e45vers.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4058841; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/154;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e156 [tlp:white,circl:incident-classification="phishing"] Outgoing URL https|3a|//emaskoreaelena.com.my/beovex/mnage/appsmai/voina/beobank/info/wess.html"; tls.sni; content:"emaskoreaelena.com.my"; tag:session,600,seconds; classtype:trojan-activity; sid:4059601; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/156;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e156 [tlp:white,circl:incident-classification="phishing"] Source Email Address: lastwasy@personalshopperinflorence.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"lastwasy@personalshopperinflorence.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4059611; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/156;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e157 [tlp:white] Outgoing URL http|3a|//simplerlife.pl/wp-content/themes/hueman/assets/admin/css/pic.zip"; flow:to_server,established; http.header; content:"simplerlife.pl"; fast_pattern; nocase; http.uri; content:"/wp-content/themes/hueman/assets/admin/css/pic.zip"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4059641; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/157;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e157 [tlp:white] Outgoing URL http|3a|//sidneyyin.com/templates/joomlage0084-aravnik/css/msg.jpg"; flow:to_server,established; http.header; content:"sidneyyin.com"; fast_pattern; nocase; http.uri; content:"/templates/joomlage0084-aravnik/css/msg.jpg"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4059671; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/157;) alert ip $HOME_NET any -> 62.212.69.227 any (msg: "MISP e157 [tlp:white] Outgoing To IP: 62.212.69.227"; classtype:trojan-activity; sid:4059681; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/157;) alert ip $HOME_NET any -> 74.220.207.61 any (msg: "MISP e157 [tlp:white] Outgoing To IP: 74.220.207.61"; classtype:trojan-activity; sid:4059691; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/157;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e157 [tlp:white] Destination Email Address: pilotpilot088@gmail.com"; flow:established,to_server; content:"RCPT TO|3a|"; nocase; content:"pilotpilot088@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4059701; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/157;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e157 [tlp:white] Outgoing URL http|3a|//cryptsen7fo43rr6.onion/"; flow:to_server,established; http.header; content:"cryptsen7fo43rr6.onion"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4059711; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/157;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e157 [tlp:white] Outgoing URL http|3a|//cryptsen7fo43rr6.onion.to/"; flow:to_server,established; http.header; content:"cryptsen7fo43rr6.onion.to"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4059721; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/157;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e157 [tlp:white] Outgoing URL http|3a|//cryptsen7fo43rr6.onion.cab/"; flow:to_server,established; http.header; content:"cryptsen7fo43rr6.onion.cab"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4059731; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/157;) alert dns any any -> any any (msg: "MISP e158 [tlp:white] Hostname fejalconstrucoes.com.br"; dns.query; content:"fejalconstrucoes.com.br"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])fejalconstrucoes\.com\.br$/i"; classtype:trojan-activity; sid:4059771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/158;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e158 [tlp:white] Outgoing HTTP Hostname fejalconstrucoes.com.br"; flow:to_server,established; http.header; content: "Host|3a| fejalconstrucoes.com.br"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])fejalconstrucoes\.com\.br[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4059772; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/158;) alert dns any any -> any any (msg: "MISP e158 [tlp:white] Hostname internetexplorer200.blogspot.com"; dns.query; content:"internetexplorer200.blogspot.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])internetexplorer200\.blogspot\.com$/i"; classtype:trojan-activity; sid:4059781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/158;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e158 [tlp:white] Outgoing HTTP Hostname internetexplorer200.blogspot.com"; flow:to_server,established; http.header; content: "Host|3a| internetexplorer200.blogspot.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])internetexplorer200\.blogspot\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4059782; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/158;) alert dns any any -> any any (msg: "MISP e158 [tlp:white] Hostname office365update.duckdns.org"; dns.query; content:"office365update.duckdns.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])office365update\.duckdns\.org$/i"; classtype:trojan-activity; sid:4059791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/158;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e158 [tlp:white] Outgoing HTTP Hostname office365update.duckdns.org"; flow:to_server,established; http.header; content: "Host|3a| office365update.duckdns.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])office365update\.duckdns\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4059792; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/158;) alert dns any any -> any any (msg: "MISP e158 [tlp:white] Hostname olhomagicocdt.duckdns.org"; dns.query; content:"olhomagicocdt.duckdns.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])olhomagicocdt\.duckdns\.org$/i"; classtype:trojan-activity; sid:4059801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/158;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e158 [tlp:white] Outgoing HTTP Hostname olhomagicocdt.duckdns.org"; flow:to_server,established; http.header; content: "Host|3a| olhomagicocdt.duckdns.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])olhomagicocdt\.duckdns\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4059802; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/158;) alert dns any any -> any any (msg: "MISP e158 [tlp:white] Hostname 498408.ddns.net"; dns.query; content:"498408.ddns.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])498408\.ddns\.net$/i"; classtype:trojan-activity; sid:4059811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/158;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e158 [tlp:white] Outgoing HTTP Hostname 498408.ddns.net"; flow:to_server,established; http.header; content: "Host|3a| 498408.ddns.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])498408\.ddns\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4059812; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/158;) alert dns any any -> any any (msg: "MISP e158 [tlp:white] Hostname systenfailued.ddns.com.br"; dns.query; content:"systenfailued.ddns.com.br"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])systenfailued\.ddns\.com\.br$/i"; classtype:trojan-activity; sid:4059821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/158;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e158 [tlp:white] Outgoing HTTP Hostname systenfailued.ddns.com.br"; flow:to_server,established; http.header; content: "Host|3a| systenfailued.ddns.com.br"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])systenfailued\.ddns\.com\.br[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4059822; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/158;) alert dns any any -> any any (msg: "MISP e158 [tlp:white] Hostname internetexploter.duckdns.org"; dns.query; content:"internetexploter.duckdns.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])internetexploter\.duckdns\.org$/i"; classtype:trojan-activity; sid:4059831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/158;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e158 [tlp:white] Outgoing HTTP Hostname internetexploter.duckdns.org"; flow:to_server,established; http.header; content: "Host|3a| internetexploter.duckdns.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])internetexploter\.duckdns\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4059832; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/158;) alert dns any any -> any any (msg: "MISP e158 [tlp:white] Hostname ssl9294.websiteseguro.com"; dns.query; content:"ssl9294.websiteseguro.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ssl9294\.websiteseguro\.com$/i"; classtype:trojan-activity; sid:4059841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/158;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e158 [tlp:white] Outgoing HTTP Hostname ssl9294.websiteseguro.com"; flow:to_server,established; http.header; content: "Host|3a| ssl9294.websiteseguro.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ssl9294\.websiteseguro\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4059842; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/158;) alert dns any any -> any any (msg: "MISP e158 [tlp:white] Hostname c-d-t.weebly.com"; dns.query; content:"c-d-t.weebly.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])c\-d\-t\.weebly\.com$/i"; classtype:trojan-activity; sid:4059851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/158;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e158 [tlp:white] Outgoing HTTP Hostname c-d-t.weebly.com"; flow:to_server,established; http.header; content: "Host|3a| c-d-t.weebly.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])c\-d\-t\.weebly\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4059852; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/158;) alert dns any any -> any any (msg: "MISP e158 [tlp:white] Hostname cdtoriginal.ddns.net"; dns.query; content:"cdtoriginal.ddns.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cdtoriginal\.ddns\.net$/i"; classtype:trojan-activity; sid:4060731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/158;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e158 [tlp:white] Outgoing HTTP Hostname cdtoriginal.ddns.net"; flow:to_server,established; http.header; content: "Host|3a| cdtoriginal.ddns.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cdtoriginal\.ddns\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4060732; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/158;) alert dns any any -> any any (msg: "MISP e159 [tlp:white] Hostname coupondemo.dynamicinnovation.net"; dns.query; content:"coupondemo.dynamicinnovation.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])coupondemo\.dynamicinnovation\.net$/i"; classtype:trojan-activity; sid:4060771; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/159;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e159 [tlp:white] Outgoing HTTP Hostname coupondemo.dynamicinnovation.net"; flow:to_server,established; http.header; content: "Host|3a| coupondemo.dynamicinnovation.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])coupondemo\.dynamicinnovation\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4060772; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/159;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e159 [tlp:white] Outgoing URL http|3a|//coupondemo.dynamicinnovation.net/cgl-bin/gate.php"; flow:to_server,established; http.header; content:"coupondemo.dynamicinnovation.net"; fast_pattern; nocase; http.uri; content:"/cgl-bin/gate.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4060781; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/159;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e159 [tlp:white] Outgoing URL http|3a|//coupondemo.dynamicinnovation.net/admin/gate.php"; flow:to_server,established; http.header; content:"coupondemo.dynamicinnovation.net"; fast_pattern; nocase; http.uri; content:"/admin/gate.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4060791; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/159;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e159 [tlp:white] Outgoing URL http|3a|//coupondemo.dynamicinnovation.net/glitch/gate.php"; flow:to_server,established; http.header; content:"coupondemo.dynamicinnovation.net"; fast_pattern; nocase; http.uri; content:"/glitch/gate.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4060801; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/159;) alert http $HOME_NET any -> 84.28.185.76 $HTTP_PORTS (msg: "MISP e160 [tlp:white] Outgoing URL http|3a|//84.28.185.76/wordpress/iBA/"; flow:to_server,established; http.header; content:"84.28.185.76"; fast_pattern; nocase; http.uri; content:"/wordpress/iBA/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4060871; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/160;) alert http $HOME_NET any -> 45.36.20.17 8443 (msg: "MISP e160 [tlp:white] Outgoing URL http|3a|//45.36.20.17|3a|8443/"; flow:to_server,established; http.header; content:"45.36.20.17"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4060881; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/160;) alert http $HOME_NET any -> 103.39.131.88 $HTTP_PORTS (msg: "MISP e160 [tlp:white] Outgoing URL http|3a|//103.39.131.88/"; flow:to_server,established; http.header; content:"103.39.131.88"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4060891; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/160;) alert http $HOME_NET any -> 187.189.195.208 8443 (msg: "MISP e160 [tlp:white] Outgoing URL http|3a|//187.189.195.208|3a|8443/"; flow:to_server,established; http.header; content:"187.189.195.208"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4060901; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/160;) alert http $HOME_NET any -> 174.56.47.59 $HTTP_PORTS (msg: "MISP e160 [tlp:white] Outgoing URL http|3a|//174.56.47.59/"; flow:to_server,established; http.header; content:"174.56.47.59"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4060911; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/160;) alert http $HOME_NET any -> 211.63.34.183 443 (msg: "MISP e160 [tlp:white] Outgoing URL http|3a|//211.63.34.183|3a|443/"; flow:to_server,established; http.header; content:"211.63.34.183"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4060921; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/160;) alert http $HOME_NET any -> 58.171.215.214 8080 (msg: "MISP e160 [tlp:white] Outgoing URL http|3a|//58.171.215.214|3a|8080/"; flow:to_server,established; http.header; content:"58.171.215.214"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4060931; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/160;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e161 [tlp:white] Outgoing URL https|3a|//gist.github.com/kancc14522/626a3a68a2cc2a91c1ece1eed7610c8a"; tls.sni; content:"gist.github.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4061011; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/161;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//www.autourbe.com.co/autourbe/language/en-GB/windata/wgetbin.sh"; flow:to_server,established; http.header; content:"www.autourbe.com.co"; fast_pattern; nocase; http.uri; content:"/autourbe/language/en-GB/windata/wgetbin.sh"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4061021; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert dns any any -> any any (msg: "MISP e162 [tlp:white] Domain epicrustserver.cf"; dns.query; content:"epicrustserver.cf"; nocase; pcre: "/(^|[^A-Za-z0-9-])epicrustserver\.cf$/i"; classtype:trojan-activity; sid:4061031; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e162 [tlp:white] Outgoing HTTP Domain epicrustserver.cf"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"epicrustserver.cf"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])epicrustserver\.cf[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4061032; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//www.autourbe.com.co/autourbe/language/en-GB/windata/clean.mips"; flow:to_server,established; http.header; content:"www.autourbe.com.co"; fast_pattern; nocase; http.uri; content:"/autourbe/language/en-GB/windata/clean.mips"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4061041; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//www.autourbe.com.co/autourbe/language/en-GB/windata/clean.mpsl"; flow:to_server,established; http.header; content:"www.autourbe.com.co"; fast_pattern; nocase; http.uri; content:"/autourbe/language/en-GB/windata/clean.mpsl"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4061051; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//www.autourbe.com.co/autourbe/language/en-GB/windata/clean.arm"; flow:to_server,established; http.header; content:"www.autourbe.com.co"; fast_pattern; nocase; http.uri; content:"/autourbe/language/en-GB/windata/clean.arm"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4061061; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//www.autourbe.com.co/autourbe/language/en-GB/windata/clean.arm5n"; flow:to_server,established; http.header; content:"www.autourbe.com.co"; fast_pattern; nocase; http.uri; content:"/autourbe/language/en-GB/windata/clean.arm5n"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4061071; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//www.autourbe.com.co/autourbe/language/en-GB/windata/clean.arm7"; flow:to_server,established; http.header; content:"www.autourbe.com.co"; fast_pattern; nocase; http.uri; content:"/autourbe/language/en-GB/windata/clean.arm7"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4061081; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//www.autourbe.com.co/autourbe/language/en-GB/windata/clean.sh4"; flow:to_server,established; http.header; content:"www.autourbe.com.co"; fast_pattern; nocase; http.uri; content:"/autourbe/language/en-GB/windata/clean.sh4"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4061091; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//www.autourbe.com.co/autourbe/language/en-GB/windata/clean.spc"; flow:to_server,established; http.header; content:"www.autourbe.com.co"; fast_pattern; nocase; http.uri; content:"/autourbe/language/en-GB/windata/clean.spc"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4061101; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//www.autourbe.com.co/autourbe/language/en-GB/windata/clean.x86"; flow:to_server,established; http.header; content:"www.autourbe.com.co"; fast_pattern; nocase; http.uri; content:"/autourbe/language/en-GB/windata/clean.x86"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4061111; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//www.autourbe.com.co/autourbe/language/en-GB/windata/clean.ppc"; flow:to_server,established; http.header; content:"www.autourbe.com.co"; fast_pattern; nocase; http.uri; content:"/autourbe/language/en-GB/windata/clean.ppc"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4061121; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//www.autourbe.com.co/autourbe/language/en-GB/windata/clean.i686"; flow:to_server,established; http.header; content:"www.autourbe.com.co"; fast_pattern; nocase; http.uri; content:"/autourbe/language/en-GB/windata/clean.i686"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4061131; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//www.autourbe.com.co/autourbe/language/en-GB/windata/clean.m68k"; flow:to_server,established; http.header; content:"www.autourbe.com.co"; fast_pattern; nocase; http.uri; content:"/autourbe/language/en-GB/windata/clean.m68k"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4061141; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//www.autourbe.com.co/autourbe/language/en-GB/windata/clean.x86_64"; flow:to_server,established; http.header; content:"www.autourbe.com.co"; fast_pattern; nocase; http.uri; content:"/autourbe/language/en-GB/windata/clean.x86_64"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4061151; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> 185.248.140.102 $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//185.248.140.102/bins/clean.mips"; flow:to_server,established; http.header; content:"185.248.140.102"; fast_pattern; nocase; http.uri; content:"/bins/clean.mips"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4061161; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> 185.248.140.102 $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//185.248.140.102/bins/clean.mpsl"; flow:to_server,established; http.header; content:"185.248.140.102"; fast_pattern; nocase; http.uri; content:"/bins/clean.mpsl"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4061171; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> 185.248.140.102 $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//185.248.140.102/bins/clean.arm"; flow:to_server,established; http.header; content:"185.248.140.102"; fast_pattern; nocase; http.uri; content:"/bins/clean.arm"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4061181; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> 185.248.140.102 $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//185.248.140.102/bins/clean.arm5n"; flow:to_server,established; http.header; content:"185.248.140.102"; fast_pattern; nocase; http.uri; content:"/bins/clean.arm5n"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4061191; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> 185.248.140.102 $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//185.248.140.102/bins/clean.arm7"; flow:to_server,established; http.header; content:"185.248.140.102"; fast_pattern; nocase; http.uri; content:"/bins/clean.arm7"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4061201; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> 185.248.140.102 $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//185.248.140.102/bins/clean.sh4"; flow:to_server,established; http.header; content:"185.248.140.102"; fast_pattern; nocase; http.uri; content:"/bins/clean.sh4"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4061211; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> 185.248.140.102 $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//185.248.140.102/bins/clean.spc"; flow:to_server,established; http.header; content:"185.248.140.102"; fast_pattern; nocase; http.uri; content:"/bins/clean.spc"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4061221; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> 185.248.140.102 $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//185.248.140.102/bins/clean.x86"; flow:to_server,established; http.header; content:"185.248.140.102"; fast_pattern; nocase; http.uri; content:"/bins/clean.x86"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4061231; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> 185.248.140.102 $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//185.248.140.102/bins/clean.ppc"; flow:to_server,established; http.header; content:"185.248.140.102"; fast_pattern; nocase; http.uri; content:"/bins/clean.ppc"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4061241; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> 185.248.140.102 $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//185.248.140.102/bins/clean.i686"; flow:to_server,established; http.header; content:"185.248.140.102"; fast_pattern; nocase; http.uri; content:"/bins/clean.i686"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4061251; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> 185.248.140.102 $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//185.248.140.102/bins/clean.m68k"; flow:to_server,established; http.header; content:"185.248.140.102"; fast_pattern; nocase; http.uri; content:"/bins/clean.m68k"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4061261; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> 185.248.140.102 $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//185.248.140.102/bins/clean.x86_64"; flow:to_server,established; http.header; content:"185.248.140.102"; fast_pattern; nocase; http.uri; content:"/bins/clean.x86_64"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4061271; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> 185.248.140.102 $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//185.248.140.102/eeppinen.arm"; flow:to_server,established; http.header; content:"185.248.140.102"; fast_pattern; nocase; http.uri; content:"/eeppinen.arm"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4062001; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> 185.248.140.102 $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//185.248.140.102/eeppinen.arm7"; flow:to_server,established; http.header; content:"185.248.140.102"; fast_pattern; nocase; http.uri; content:"/eeppinen.arm7"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4062011; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> 185.248.140.102 $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//185.248.140.102/eeppinen.armv4l"; flow:to_server,established; http.header; content:"185.248.140.102"; fast_pattern; nocase; http.uri; content:"/eeppinen.armv4l"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4062021; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> 185.248.140.102 $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//185.248.140.102/eeppinen.i586"; flow:to_server,established; http.header; content:"185.248.140.102"; fast_pattern; nocase; http.uri; content:"/eeppinen.i586"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4062031; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> 185.248.140.102 $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//185.248.140.102/eeppinen.i686"; flow:to_server,established; http.header; content:"185.248.140.102"; fast_pattern; nocase; http.uri; content:"/eeppinen.i686"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4062041; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> 185.248.140.102 $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//185.248.140.102/eeppinen.mips"; flow:to_server,established; http.header; content:"185.248.140.102"; fast_pattern; nocase; http.uri; content:"/eeppinen.mips"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4062051; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> 185.248.140.102 $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//185.248.140.102/eeppinen.mipsel"; flow:to_server,established; http.header; content:"185.248.140.102"; fast_pattern; nocase; http.uri; content:"/eeppinen.mipsel"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4062061; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> 185.248.140.102 $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//185.248.140.102/eeppinen.m68k"; flow:to_server,established; http.header; content:"185.248.140.102"; fast_pattern; nocase; http.uri; content:"/eeppinen.m68k"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4062071; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> 185.248.140.102 $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//185.248.140.102/eeppinen.x86"; flow:to_server,established; http.header; content:"185.248.140.102"; fast_pattern; nocase; http.uri; content:"/eeppinen.x86"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4062081; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> 185.248.140.102 $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//185.248.140.102/eeppinen.ppc"; flow:to_server,established; http.header; content:"185.248.140.102"; fast_pattern; nocase; http.uri; content:"/eeppinen.ppc"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4062091; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> 185.248.140.102 $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//185.248.140.102/eeppinen.sh4"; flow:to_server,established; http.header; content:"185.248.140.102"; fast_pattern; nocase; http.uri; content:"/eeppinen.sh4"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4062101; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert http $HOME_NET any -> 185.248.140.102 $HTTP_PORTS (msg: "MISP e162 [tlp:white] Outgoing URL http|3a|//185.248.140.102/eeppinen.sparc"; flow:to_server,established; http.header; content:"185.248.140.102"; fast_pattern; nocase; http.uri; content:"/eeppinen.sparc"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4062111; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/162;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e163 [tlp:white] Source Email Address: mayarchenot@protonmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"mayarchenot@protonmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4062251; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/163;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e163 [tlp:white] Source Email Address: qicifomuejijika@o2.pl"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"qicifomuejijika@o2.pl"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4062261; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/163;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e163 [tlp:white] Source Email Address: suzumcpherson@protonmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"suzumcpherson@protonmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4062271; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/163;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e163 [tlp:white] Source Email Address: asuxidoruraep1999@o2.pl"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"asuxidoruraep1999@o2.pl"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4062281; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/163;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e163 [tlp:white] Source Email Address: dharmaparrack@protonmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"dharmaparrack@protonmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4062291; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/163;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e163 [tlp:white] Source Email Address: wyattpettigrew8922555@mail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"wyattpettigrew8922555@mail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4062301; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/163;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e163 [tlp:white] Source Email Address: abbschevis@protonmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"abbschevis@protonmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4062311; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/163;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e163 [tlp:white] Source Email Address: ijuqodisunovib98@o2.pl"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"ijuqodisunovib98@o2.pl"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4062321; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/163;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e163 [tlp:white] Source Email Address: cottleakela@protonmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"cottleakela@protonmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4062331; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/163;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e163 [tlp:white] Source Email Address: qyavauzehyco1994@o2.pl"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"qyavauzehyco1994@o2.pl"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4062341; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/163;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e163 [tlp:white] Source Email Address: jinmaglaya@protonmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"jinmaglaya@protonmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4062351; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/163;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e163 [tlp:white] Source Email Address: ypilokomoadae1994@o2.pl"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"ypilokomoadae1994@o2.pl"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4062361; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/163;) alert dns any any -> any any (msg: "MISP e164 [tlp:white] Domain asushotfix.com"; dns.query; content:"asushotfix.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])asushotfix\.com$/i"; classtype:trojan-activity; sid:4062511; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/164;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e164 [tlp:white] Outgoing HTTP Domain asushotfix.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"asushotfix.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])asushotfix\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4062512; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/164;) alert ip $HOME_NET any -> 141.105.71.116 any (msg: "MISP e164 [tlp:white] Outgoing To IP: 141.105.71.116"; classtype:trojan-activity; sid:4062521; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/164;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e164 [tlp:white] Outgoing URL http|3a|//liveupdate01.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER365.zip"; flow:to_server,established; http.header; content:"liveupdate01.asus.com"; fast_pattern; nocase; http.uri; content:"/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER365.zip"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4062531; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/164;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e164 [tlp:white] Outgoing URL https|3a|//liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER362.zip"; tls.sni; content:"liveupdate01s.asus.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4062541; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/164;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e164 [tlp:white] Outgoing URL https|3a|//liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER360.zip"; tls.sni; content:"liveupdate01s.asus.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4062551; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/164;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e164 [tlp:white] Outgoing URL https|3a|//liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER359.zip"; tls.sni; content:"liveupdate01s.asus.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4062561; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/164;) alert dns any any -> any any (msg: "MISP e164 [tlp:white] Domain simplexoj.com"; dns.query; content:"simplexoj.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])simplexoj\.com$/i"; classtype:trojan-activity; sid:4117951; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/164;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e164 [tlp:white] Outgoing HTTP Domain simplexoj.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"simplexoj.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])simplexoj\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4117952; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/164;) alert dns any any -> any any (msg: "MISP e164 [tlp:white] Domain homeabcd.com"; dns.query; content:"homeabcd.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])homeabcd\.com$/i"; classtype:trojan-activity; sid:4117961; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/164;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e164 [tlp:white] Outgoing HTTP Domain homeabcd.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"homeabcd.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])homeabcd\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4117962; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/164;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e165 [tlp:white] Outgoing URL http|3a|//situsprediksijitu.com/wp-includes/file/service/ios/EN/04-2019/"; flow:to_server,established; http.header; content:"situsprediksijitu.com"; fast_pattern; nocase; http.uri; content:"/wp-includes/file/service/ios/EN/04-2019/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4062621; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/165;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e165 [tlp:white] Outgoing URL https|3a|//escapadesgroup.com.au/cgi-bin/US/support/ios/EN/042019/"; tls.sni; content:"escapadesgroup.com.au"; tag:session,600,seconds; classtype:trojan-activity; sid:4062631; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/165;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e165 [tlp:white] Outgoing URL http|3a|//hirosys.biz/wp-content/llc/support/secure/EN/2019-04/"; flow:to_server,established; http.header; content:"hirosys.biz"; fast_pattern; nocase; http.uri; content:"/wp-content/llc/support/secure/EN/2019-04/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4062641; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/165;) alert http $HOME_NET any -> 107.178.221.225 $HTTP_PORTS (msg: "MISP e165 [tlp:white] Outgoing URL http|3a|//107.178.221.225/jxewyv9/inc/support/ios/En_en/042019/"; flow:to_server,established; http.header; content:"107.178.221.225"; fast_pattern; nocase; http.uri; content:"/jxewyv9/inc/support/ios/En_en/042019/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4062651; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/165;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e165 [tlp:white] Outgoing URL http|3a|//raraty-squires.com/blog/sXzf-4ihmhkO8ISXaF6N_xpQxoZZcQ-fgs/"; flow:to_server,established; http.header; content:"raraty-squires.com"; fast_pattern; nocase; http.uri; content:"/blog/sXzf-4ihmhkO8ISXaF6N_xpQxoZZcQ-fgs/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4062661; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/165;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e165 [tlp:white] Outgoing URL http|3a|//newsmafia.in/d/security/support/sec/EN/2019-04/"; flow:to_server,established; http.header; content:"newsmafia.in"; fast_pattern; nocase; http.uri; content:"/d/security/support/sec/EN/2019-04/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4062671; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/165;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e165 [tlp:white] Outgoing URL https|3a|//jlseditions.fr/wp-content/SPNT-FNzUWeaXTjQ8nqv_qWocBOMe-RT6/"; tls.sni; content:"jlseditions.fr"; tag:session,600,seconds; classtype:trojan-activity; sid:4062681; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/165;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e165 [tlp:white] Outgoing URL http|3a|//netcom-soft.com/eng/NgqF-1QgEEkvjQ0MkjZ_zYLYiaLye-Z8t/"; flow:to_server,established; http.header; content:"netcom-soft.com"; fast_pattern; nocase; http.uri; content:"/eng/NgqF-1QgEEkvjQ0MkjZ_zYLYiaLye-Z8t/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4062691; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/165;) alert http $HOME_NET any -> 132.145.153.89 $HTTP_PORTS (msg: "MISP e165 [tlp:white] Outgoing URL http|3a|//132.145.153.89/trust.accs.send.net/files/messages/sec/en_EN/201904/"; flow:to_server,established; http.header; content:"132.145.153.89"; fast_pattern; nocase; http.uri; content:"/trust.accs.send.net/files/messages/sec/en_EN/201904/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4062701; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/165;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e165 [tlp:white] Outgoing URL http|3a|//tem2.belocal.today/optometrist/privacy/messages/sec/En_en/2019-04/"; flow:to_server,established; http.header; content:"tem2.belocal.today"; fast_pattern; nocase; http.uri; content:"/optometrist/privacy/messages/sec/En_en/2019-04/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4062711; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/165;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e166 [tlp:white] Outgoing URL https|3a|//a.pomf.cat/"; tls.sni; content:"a.pomf.cat"; tag:session,600,seconds; classtype:trojan-activity; sid:4062731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e166 [tlp:white] Outgoing URL http|3a|//pomf.cat/upload.php"; flow:to_server,established; http.header; content:"pomf.cat"; fast_pattern; nocase; http.uri; content:"/upload.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4062741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert ip $HOME_NET any -> 112.213.89.40 any (msg: "MISP e166 [tlp:white] Outgoing To IP: 112.213.89.40"; classtype:trojan-activity; sid:4062751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert ip $HOME_NET any -> 67.23.254.61 any (msg: "MISP e166 [tlp:white] Outgoing To IP: 67.23.254.61"; classtype:trojan-activity; sid:4062761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert ip $HOME_NET any -> 62.212.33.98 any (msg: "MISP e166 [tlp:white] Outgoing To IP: 62.212.33.98"; classtype:trojan-activity; sid:4062771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert ip $HOME_NET any -> 153.92.5.124 any (msg: "MISP e166 [tlp:white] Outgoing To IP: 153.92.5.124"; classtype:trojan-activity; sid:4062781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert ip $HOME_NET any -> 185.117.22.197 any (msg: "MISP e166 [tlp:white] Outgoing To IP: 185.117.22.197"; classtype:trojan-activity; sid:4062791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert ip $HOME_NET any -> 23.94.188.246 any (msg: "MISP e166 [tlp:white] Outgoing To IP: 23.94.188.246"; classtype:trojan-activity; sid:4062801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert ip $HOME_NET any -> 67.23.254.170 any (msg: "MISP e166 [tlp:white] Outgoing To IP: 67.23.254.170"; classtype:trojan-activity; sid:4062811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert ip $HOME_NET any -> 72.52.150.218 any (msg: "MISP e166 [tlp:white] Outgoing To IP: 72.52.150.218"; classtype:trojan-activity; sid:4062821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert ip $HOME_NET any -> 148.66.136.62 any (msg: "MISP e166 [tlp:white] Outgoing To IP: 148.66.136.62"; classtype:trojan-activity; sid:4062831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert ip $HOME_NET any -> 107.180.24.253 any (msg: "MISP e166 [tlp:white] Outgoing To IP: 107.180.24.253"; classtype:trojan-activity; sid:4062841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert ip $HOME_NET any -> 108.179.246.138 any (msg: "MISP e166 [tlp:white] Outgoing To IP: 108.179.246.138"; classtype:trojan-activity; sid:4062851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert ip $HOME_NET any -> 18.221.35.214 any (msg: "MISP e166 [tlp:white] Outgoing To IP: 18.221.35.214"; classtype:trojan-activity; sid:4062861; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert ip $HOME_NET any -> 94.46.15.200 any (msg: "MISP e166 [tlp:white] Outgoing To IP: 94.46.15.200"; classtype:trojan-activity; sid:4062871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert ip $HOME_NET any -> 66.23.237.186 any (msg: "MISP e166 [tlp:white] Outgoing To IP: 66.23.237.186"; classtype:trojan-activity; sid:4062881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert dns any any -> any any (msg: "MISP e166 [tlp:white] Hostname tfvn.com.vn"; dns.query; content:"tfvn.com.vn"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])tfvn\.com\.vn$/i"; classtype:trojan-activity; sid:4062891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e166 [tlp:white] Outgoing HTTP Hostname tfvn.com.vn"; flow:to_server,established; http.header; content: "Host|3a| tfvn.com.vn"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])tfvn\.com\.vn[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4062892; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert dns any any -> any any (msg: "MISP e166 [tlp:white] Domain shirkeswitch.net"; dns.query; content:"shirkeswitch.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])shirkeswitch\.net$/i"; classtype:trojan-activity; sid:4062901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e166 [tlp:white] Outgoing HTTP Domain shirkeswitch.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"shirkeswitch.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])shirkeswitch\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4062902; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert dns any any -> any any (msg: "MISP e166 [tlp:white] Domain guideofgeorgia.org"; dns.query; content:"guideofgeorgia.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])guideofgeorgia\.org$/i"; classtype:trojan-activity; sid:4062911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e166 [tlp:white] Outgoing HTTP Domain guideofgeorgia.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"guideofgeorgia.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])guideofgeorgia\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4062912; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert dns any any -> any any (msg: "MISP e166 [tlp:white] Domain gulfclouds.site"; dns.query; content:"gulfclouds.site"; nocase; pcre: "/(^|[^A-Za-z0-9-])gulfclouds\.site$/i"; classtype:trojan-activity; sid:4062921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e166 [tlp:white] Outgoing HTTP Domain gulfclouds.site"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gulfclouds.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gulfclouds\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4062922; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert dns any any -> any any (msg: "MISP e166 [tlp:white] Domain jhssourcingltd.com"; dns.query; content:"jhssourcingltd.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])jhssourcingltd\.com$/i"; classtype:trojan-activity; sid:4062931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e166 [tlp:white] Outgoing HTTP Domain jhssourcingltd.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jhssourcingltd.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jhssourcingltd\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4062932; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert dns any any -> any any (msg: "MISP e166 [tlp:white] Domain kamagra4uk.com"; dns.query; content:"kamagra4uk.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])kamagra4uk\.com$/i"; classtype:trojan-activity; sid:4062941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e166 [tlp:white] Outgoing HTTP Domain kamagra4uk.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kamagra4uk.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kamagra4uk\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4062942; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert dns any any -> any any (msg: "MISP e166 [tlp:white] Domain pioneerfitting.com"; dns.query; content:"pioneerfitting.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pioneerfitting\.com$/i"; classtype:trojan-activity; sid:4062951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e166 [tlp:white] Outgoing HTTP Domain pioneerfitting.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pioneerfitting.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pioneerfitting\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4062952; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert dns any any -> any any (msg: "MISP e166 [tlp:white] Domain positronicsindia.com"; dns.query; content:"positronicsindia.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])positronicsindia\.com$/i"; classtype:trojan-activity; sid:4062961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e166 [tlp:white] Outgoing HTTP Domain positronicsindia.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"positronicsindia.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])positronicsindia\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4062962; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert dns any any -> any any (msg: "MISP e166 [tlp:white] Domain scseguros.pt"; dns.query; content:"scseguros.pt"; nocase; pcre: "/(^|[^A-Za-z0-9-])scseguros\.pt$/i"; classtype:trojan-activity; sid:4062971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e166 [tlp:white] Outgoing HTTP Domain scseguros.pt"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"scseguros.pt"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])scseguros\.pt[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4062972; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert dns any any -> any any (msg: "MISP e166 [tlp:white] Domain spldernet.com"; dns.query; content:"spldernet.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])spldernet\.com$/i"; classtype:trojan-activity; sid:4062981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e166 [tlp:white] Outgoing HTTP Domain spldernet.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"spldernet.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])spldernet\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4062982; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert dns any any -> any any (msg: "MISP e166 [tlp:white] Domain toshioco.com"; dns.query; content:"toshioco.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])toshioco\.com$/i"; classtype:trojan-activity; sid:4062991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e166 [tlp:white] Outgoing HTTP Domain toshioco.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"toshioco.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])toshioco\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4062992; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert dns any any -> any any (msg: "MISP e166 [tlp:white] Hostname www.happytohelpyou.in"; dns.query; content:"www.happytohelpyou.in"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.happytohelpyou\.in$/i"; classtype:trojan-activity; sid:4063001; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e166 [tlp:white] Outgoing HTTP Hostname www.happytohelpyou.in"; flow:to_server,established; http.header; content: "Host|3a| www.happytohelpyou.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.happytohelpyou\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4063002; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/166;) alert dns any any -> any any (msg: "MISP e167 [tlp:white] Domain coldfart.com"; dns.query; content:"coldfart.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])coldfart\.com$/i"; classtype:trojan-activity; sid:4063091; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/167;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e167 [tlp:white] Outgoing HTTP Domain coldfart.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"coldfart.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])coldfart\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4063092; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/167;) alert dns any any -> any any (msg: "MISP e167 [tlp:white] Domain rimrun.com"; dns.query; content:"rimrun.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])rimrun\.com$/i"; classtype:trojan-activity; sid:4063101; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/167;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e167 [tlp:white] Outgoing HTTP Domain rimrun.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"rimrun.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])rimrun\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4063102; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/167;) alert dns any any -> any any (msg: "MISP e167 [tlp:white] Domain kuternull.com"; dns.query; content:"kuternull.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])kuternull\.com$/i"; classtype:trojan-activity; sid:4063111; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/167;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e167 [tlp:white] Outgoing HTTP Domain kuternull.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kuternull.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kuternull\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4063112; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/167;) alert ip $HOME_NET any -> 108.62.141.247 any (msg: "MISP e167 [tlp:white] Outgoing To IP: 108.62.141.247"; classtype:trojan-activity; sid:4063121; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/167;) alert dns any any -> any any (msg: "MISP e168 [tlp:white] Domain minergate.com"; dns.query; content:"minergate.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])minergate\.com$/i"; classtype:trojan-activity; sid:4063131; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/168;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e168 [tlp:white] Outgoing HTTP Domain minergate.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"minergate.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])minergate\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4063132; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/168;) alert dns any any -> any any (msg: "MISP e168 [tlp:white] Domain minexmr.com"; dns.query; content:"minexmr.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])minexmr\.com$/i"; classtype:trojan-activity; sid:4063141; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/168;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e168 [tlp:white] Outgoing HTTP Domain minexmr.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"minexmr.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])minexmr\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4063142; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/168;) alert ip $HOME_NET any -> 78.46.91.134 any (msg: "MISP e168 [tlp:white] Outgoing To IP: 78.46.91.134"; classtype:trojan-activity; sid:4063151; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/168;) alert ip $HOME_NET any -> 104.25.208.15 any (msg: "MISP e168 [tlp:white] Outgoing To IP: 104.25.208.15"; classtype:trojan-activity; sid:4063161; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/168;) alert ip $HOME_NET any -> 104.25.209.15 any (msg: "MISP e168 [tlp:white] Outgoing To IP: 104.25.209.15"; classtype:trojan-activity; sid:4063171; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/168;) alert ip $HOME_NET any -> 136.243.102.167 any (msg: "MISP e168 [tlp:white] Outgoing To IP: 136.243.102.167"; classtype:trojan-activity; sid:4063181; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/168;) alert ip $HOME_NET any -> 136.243.102.154 any (msg: "MISP e168 [tlp:white] Outgoing To IP: 136.243.102.154"; classtype:trojan-activity; sid:4063191; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/168;) alert ip $HOME_NET any -> 94.130.143.162 any (msg: "MISP e168 [tlp:white] Outgoing To IP: 94.130.143.162"; classtype:trojan-activity; sid:4063201; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/168;) alert ip $HOME_NET any -> 88.99.142.163 any (msg: "MISP e168 [tlp:white] Outgoing To IP: 88.99.142.163"; classtype:trojan-activity; sid:4063211; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/168;) alert ip $HOME_NET any -> 72.11.140.178 any (msg: "MISP e168 [tlp:white] Outgoing To IP: 72.11.140.178"; classtype:trojan-activity; sid:4063221; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/168;) alert http $HOME_NET any -> 188.166.74.218 $HTTP_PORTS (msg: "MISP e169 [tlp:white] Outgoing URL http|3a|//188.166.74.218/office.exe"; flow:to_server,established; http.header; content:"188.166.74.218"; fast_pattern; nocase; http.uri; content:"/office.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4063321; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/169;) alert http $HOME_NET any -> 188.166.74.218 $HTTP_PORTS (msg: "MISP e169 [tlp:white] Outgoing URL http|3a|//188.166.74.218/radm.exe"; flow:to_server,established; http.header; content:"188.166.74.218"; fast_pattern; nocase; http.uri; content:"/radm.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4063331; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/169;) alert http $HOME_NET any -> 188.166.74.218 $HTTP_PORTS (msg: "MISP e169 [tlp:white] Outgoing URL http|3a|//188.166.74.218/untitled.exe"; flow:to_server,established; http.header; content:"188.166.74.218"; fast_pattern; nocase; http.uri; content:"/untitled.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4063341; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/169;) alert http $HOME_NET any -> 45.55.211.79 $HTTP_PORTS (msg: "MISP e169 [tlp:white] Outgoing URL http|3a|//45.55.211.79/.cache/untitled.exe"; flow:to_server,established; http.header; content:"45.55.211.79"; fast_pattern; nocase; http.uri; content:"/.cache/untitled.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4063351; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/169;) alert ip $HOME_NET any -> 130.61.54.136 any (msg: "MISP e169 [tlp:white] Outgoing To IP: 130.61.54.136"; classtype:trojan-activity; sid:4063361; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/169;) alert dns any any -> any any (msg: "MISP e169 [tlp:white] Domain decryptor.top"; dns.query; content:"decryptor.top"; nocase; pcre: "/(^|[^A-Za-z0-9-])decryptor\.top$/i"; classtype:trojan-activity; sid:4063371; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/169;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e169 [tlp:white] Outgoing HTTP Domain decryptor.top"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"decryptor.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])decryptor\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4063372; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/169;) alert dns any any -> any any (msg: "MISP e170 [tlp:white] Hostname lg.prodigyprinting.com"; dns.query; content:"lg.prodigyprinting.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])lg\.prodigyprinting\.com$/i"; classtype:trojan-activity; sid:4063391; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/170;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e170 [tlp:white] Outgoing HTTP Hostname lg.prodigyprinting.com"; flow:to_server,established; http.header; content: "Host|3a| lg.prodigyprinting.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])lg\.prodigyprinting\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4063392; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/170;) alert dns any any -> any any (msg: "MISP e170 [tlp:white] Hostname hp.prodigyprinting.com"; dns.query; content:"hp.prodigyprinting.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])hp\.prodigyprinting\.com$/i"; classtype:trojan-activity; sid:4063401; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/170;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e170 [tlp:white] Outgoing HTTP Hostname hp.prodigyprinting.com"; flow:to_server,established; http.header; content: "Host|3a| hp.prodigyprinting.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])hp\.prodigyprinting\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4063402; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/170;) alert dns any any -> any any (msg: "MISP e170 [tlp:white] Hostname layering.wyattspaintbody.net"; dns.query; content:"layering.wyattspaintbody.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])layering\.wyattspaintbody\.net$/i"; classtype:trojan-activity; sid:4063411; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/170;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e170 [tlp:white] Outgoing HTTP Hostname layering.wyattspaintbody.net"; flow:to_server,established; http.header; content: "Host|3a| layering.wyattspaintbody.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])layering\.wyattspaintbody\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4063412; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/170;) alert dns any any -> any any (msg: "MISP e170 [tlp:white] Hostname painting.duncan-plumbing.com"; dns.query; content:"painting.duncan-plumbing.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])painting\.duncan\-plumbing\.com$/i"; classtype:trojan-activity; sid:4063421; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/170;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e170 [tlp:white] Outgoing HTTP Hostname painting.duncan-plumbing.com"; flow:to_server,established; http.header; content: "Host|3a| painting.duncan-plumbing.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])painting\.duncan\-plumbing\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4063422; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/170;) alert dns any any -> any any (msg: "MISP e171 [tlp:white] Domain systemten.org"; dns.query; content:"systemten.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])systemten\.org$/i"; classtype:trojan-activity; sid:4064591; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/171;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e171 [tlp:white] Outgoing HTTP Domain systemten.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"systemten.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])systemten\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4064592; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/171;) alert ip $HOME_NET any -> 185.254.190.200 any (msg: "MISP e173 [tlp:white] Outgoing To IP: 185.254.190.200"; classtype:trojan-activity; sid:4064771; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/173;) alert dns any any -> any any (msg: "MISP e173 [tlp:white] Domain makemoneyeasywith.me"; dns.query; content:"makemoneyeasywith.me"; nocase; pcre: "/(^|[^A-Za-z0-9-])makemoneyeasywith\.me$/i"; classtype:trojan-activity; sid:4064781; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/173;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e173 [tlp:white] Outgoing HTTP Domain makemoneyeasywith.me"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"makemoneyeasywith.me"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])makemoneyeasywith\.me[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4064782; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/173;) alert ip $HOME_NET any -> 188.225.26.48 any (msg: "MISP e173 [tlp:white] Outgoing To IP: 188.225.26.48"; classtype:trojan-activity; sid:4064791; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/173;) alert ip $HOME_NET any -> 195.154.255.65 any (msg: "MISP e173 [tlp:white] Outgoing To IP: 195.154.255.65"; classtype:trojan-activity; sid:4064801; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/173;) alert ip $HOME_NET any -> 185.64.105.100 any (msg: "MISP e174 [tlp:white] Outgoing To IP: 185.64.105.100"; classtype:trojan-activity; sid:4064831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/174;) alert ip $HOME_NET any -> 178.17.167.51 any (msg: "MISP e174 [tlp:white] Outgoing To IP: 178.17.167.51"; classtype:trojan-activity; sid:4064841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/174;) alert ip $HOME_NET any -> 95.179.131.225 any (msg: "MISP e174 [tlp:white] Outgoing To IP: 95.179.131.225"; classtype:trojan-activity; sid:4064851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/174;) alert ip $HOME_NET any -> 140.82.58.253 any (msg: "MISP e174 [tlp:white] Outgoing To IP: 140.82.58.253"; classtype:trojan-activity; sid:4064861; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/174;) alert ip $HOME_NET any -> 95.179.156.61 any (msg: "MISP e174 [tlp:white] Outgoing To IP: 95.179.156.61"; classtype:trojan-activity; sid:4064871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/174;) alert ip $HOME_NET any -> 196.29.187.100 any (msg: "MISP e174 [tlp:white] Outgoing To IP: 196.29.187.100"; classtype:trojan-activity; sid:4064881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/174;) alert ip $HOME_NET any -> 188.226.192.35 any (msg: "MISP e174 [tlp:white] Outgoing To IP: 188.226.192.35"; classtype:trojan-activity; sid:4064891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/174;) alert dns any any -> any any (msg: "MISP e174 [tlp:white] Hostname ns1.rootdnservers.com"; dns.query; content:"ns1.rootdnservers.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ns1\.rootdnservers\.com$/i"; classtype:trojan-activity; sid:4064901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/174;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e174 [tlp:white] Outgoing HTTP Hostname ns1.rootdnservers.com"; flow:to_server,established; http.header; content: "Host|3a| ns1.rootdnservers.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ns1\.rootdnservers\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4064902; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/174;) alert dns any any -> any any (msg: "MISP e174 [tlp:white] Hostname ns2.rootdnservers.com"; dns.query; content:"ns2.rootdnservers.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ns2\.rootdnservers\.com$/i"; classtype:trojan-activity; sid:4064911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/174;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e174 [tlp:white] Outgoing HTTP Hostname ns2.rootdnservers.com"; flow:to_server,established; http.header; content: "Host|3a| ns2.rootdnservers.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ns2\.rootdnservers\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4064912; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/174;) alert ip $HOME_NET any -> 45.32.100.62 any (msg: "MISP e174 [tlp:white] Outgoing To IP: 45.32.100.62"; classtype:trojan-activity; sid:4064921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/174;) alert dns any any -> any any (msg: "MISP e174 [tlp:white] Hostname ns1.intersecdns.com"; dns.query; content:"ns1.intersecdns.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ns1\.intersecdns\.com$/i"; classtype:trojan-activity; sid:4064931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/174;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e174 [tlp:white] Outgoing HTTP Hostname ns1.intersecdns.com"; flow:to_server,established; http.header; content: "Host|3a| ns1.intersecdns.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ns1\.intersecdns\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4064932; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/174;) alert dns any any -> any any (msg: "MISP e174 [tlp:white] Hostname ns2.intersecdns.com"; dns.query; content:"ns2.intersecdns.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ns2\.intersecdns\.com$/i"; classtype:trojan-activity; sid:4064941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/174;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e174 [tlp:white] Outgoing HTTP Hostname ns2.intersecdns.com"; flow:to_server,established; http.header; content: "Host|3a| ns2.intersecdns.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ns2\.intersecdns\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4064942; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/174;) alert ip $HOME_NET any -> 95.179.150.101 any (msg: "MISP e174 [tlp:white] Outgoing To IP: 95.179.150.101"; classtype:trojan-activity; sid:4064951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/174;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e177 [tlp:white] Outgoing URL https|3a|//1292172017.rsc.cdn77.org/images/trpl.png"; tls.sni; content:"1292172017.rsc.cdn77.org"; tag:session,600,seconds; classtype:trojan-activity; sid:4069101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/177;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e177 [tlp:white] Outgoing URL https|3a|//1292172017.rsc.cdn77.org/imtrack/strkp.png"; tls.sni; content:"1292172017.rsc.cdn77.org"; tag:session,600,seconds; classtype:trojan-activity; sid:4069111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/177;) alert ip $HOME_NET any -> 217.160.231.125 any (msg: "MISP e177 [tlp:white] Outgoing To IP: 217.160.231.125"; classtype:trojan-activity; sid:4069281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/177;) alert ip $HOME_NET any -> 208.91.197.25 any (msg: "MISP e177 [tlp:white] Outgoing To IP: 208.91.197.25"; classtype:trojan-activity; sid:4069291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/177;) alert ip $HOME_NET any -> 184.168.221.42 any (msg: "MISP e177 [tlp:white] Outgoing To IP: 184.168.221.42"; classtype:trojan-activity; sid:4069301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/177;) alert ip $HOME_NET any -> 103.224.248.219 any (msg: "MISP e177 [tlp:white] Outgoing To IP: 103.224.248.219"; classtype:trojan-activity; sid:4069311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/177;) alert ip $HOME_NET any -> 31.31.196.120 any (msg: "MISP e177 [tlp:white] Outgoing To IP: 31.31.196.120"; classtype:trojan-activity; sid:4069321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/177;) alert ip $HOME_NET any -> 217.160.223.93 any (msg: "MISP e177 [tlp:white] Outgoing To IP: 217.160.223.93"; classtype:trojan-activity; sid:4069331; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/177;) alert ip $HOME_NET any -> 184.168.221.45 any (msg: "MISP e177 [tlp:white] Outgoing To IP: 184.168.221.45"; classtype:trojan-activity; sid:4069341; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/177;) alert ip $HOME_NET any -> 119.28.87.235 any (msg: "MISP e177 [tlp:white] Outgoing To IP: 119.28.87.235"; classtype:trojan-activity; sid:4069351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/177;) alert ip $HOME_NET any -> 50.63.202.39 any (msg: "MISP e177 [tlp:white] Outgoing To IP: 50.63.202.39"; classtype:trojan-activity; sid:4069371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/177;) alert ip $HOME_NET any -> 83.243.58.172 any (msg: "MISP e177 [tlp:white] Outgoing To IP: 83.243.58.172"; classtype:trojan-activity; sid:4069391; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/177;) alert ip $HOME_NET any -> 5.9.41.178 any (msg: "MISP e177 [tlp:white] Outgoing To IP: 5.9.41.178"; classtype:trojan-activity; sid:4069401; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/177;) alert ip $HOME_NET any -> 88.198.26.25 any (msg: "MISP e177 [tlp:white] Outgoing To IP: 88.198.26.25"; classtype:trojan-activity; sid:4069411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/177;) alert ip $HOME_NET any -> 62.75.189.110 any (msg: "MISP e177 [tlp:white] Outgoing To IP: 62.75.189.110"; classtype:trojan-activity; sid:4069421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/177;) alert ip $HOME_NET any -> 109.239.101.62 any (msg: "MISP e177 [tlp:white] Outgoing To IP: 109.239.101.62"; classtype:trojan-activity; sid:4069431; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/177;) alert ip $HOME_NET any -> 107.186.67.4 any (msg: "MISP e177 [tlp:white] Outgoing To IP: 107.186.67.4"; classtype:trojan-activity; sid:4069441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/177;) alert ip $HOME_NET any -> 184.168.221.63 any (msg: "MISP e177 [tlp:white] Outgoing To IP: 184.168.221.63"; classtype:trojan-activity; sid:4069451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/177;) alert ip $HOME_NET any -> 45.55.154.177 any (msg: "MISP e177 [tlp:white] Outgoing To IP: 45.55.154.177"; classtype:trojan-activity; sid:4069461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/177;) alert ip $HOME_NET any -> 104.28.2.169 any (msg: "MISP e177 [tlp:white] Outgoing To IP: 104.28.2.169"; classtype:trojan-activity; sid:4069471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/177;) alert ip $HOME_NET any -> 202.56.240.5 any (msg: "MISP e177 [tlp:white] Outgoing To IP: 202.56.240.5"; classtype:trojan-activity; sid:4069481; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/177;) alert ip $HOME_NET any -> 89.163.255.171 any (msg: "MISP e177 [tlp:white] Outgoing To IP: 89.163.255.171"; classtype:trojan-activity; sid:4069491; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/177;) alert ip $HOME_NET any -> 185.243.114.111 any (msg: "MISP e177 [tlp:white] Outgoing To IP: 185.243.114.111"; classtype:trojan-activity; sid:4069501; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/177;) alert dns any any -> any any (msg: "MISP e177 [tlp:white] Hostname d23cy16qyloios.cloudfront.net"; dns.query; content:"d23cy16qyloios.cloudfront.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])d23cy16qyloios\.cloudfront\.net$/i"; classtype:trojan-activity; sid:4069521; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/177;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e177 [tlp:white] Outgoing HTTP Hostname d23cy16qyloios.cloudfront.net"; flow:to_server,established; http.header; content: "Host|3a| d23cy16qyloios.cloudfront.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])d23cy16qyloios\.cloudfront\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4069522; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/177;) alert dns any any -> any any (msg: "MISP e177 [tlp:white] Hostname d3cp2f6v8pu0j2.cloudfront.net"; dns.query; content:"d3cp2f6v8pu0j2.cloudfront.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])d3cp2f6v8pu0j2\.cloudfront\.net$/i"; classtype:trojan-activity; sid:4069531; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/177;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e177 [tlp:white] Outgoing HTTP Hostname d3cp2f6v8pu0j2.cloudfront.net"; flow:to_server,established; http.header; content: "Host|3a| d3cp2f6v8pu0j2.cloudfront.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])d3cp2f6v8pu0j2\.cloudfront\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4069532; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/177;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e177 [tlp:white] Outgoing URL https|3a|//1292172017.rsc.cdn77.org/images/trp.png"; tls.sni; content:"1292172017.rsc.cdn77.org"; tag:session,600,seconds; classtype:trojan-activity; sid:4069541; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/177;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e178 [tlp:white] Outgoing URL www.tradersbolt.com/126/invoice1.exe"; flow:to_server,established; http.uri; content:"www.tradersbolt.com/126/invoice1.exe"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4069561; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/178;) alert dns any any -> any any (msg: "MISP e178 [tlp:white] Hostname greatest.ddns.net"; dns.query; content:"greatest.ddns.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])greatest\.ddns\.net$/i"; classtype:trojan-activity; sid:4069571; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/178;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e178 [tlp:white] Outgoing HTTP Hostname greatest.ddns.net"; flow:to_server,established; http.header; content: "Host|3a| greatest.ddns.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])greatest\.ddns\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4069572; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/178;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e178 [tlp:white] Outgoing URL http|3a|//puu.sh/jMSLc.txt"; flow:to_server,established; http.header; content:"puu.sh"; fast_pattern; nocase; http.uri; content:"/jMSLc.txt"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4069581; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/178;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e178 [tlp:white] Outgoing URL https|3a|//puu.sh"; tls.sni; content:"puu.sh"; tag:session,600,seconds; classtype:trojan-activity; sid:4069591; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/178;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e179 [tlp:white] Outgoing URL https|3a|//helegedada.github.io/test/test"; tls.sni; content:"helegedada.github.io"; tag:session,600,seconds; classtype:trojan-activity; sid:4069671; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e179 [tlp:white] Outgoing URL https|3a|//api.github.com/repos/helegedada/heihei"; tls.sni; content:"api.github.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4069681; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert http $HOME_NET any -> 198.204.231.250 $HTTP_PORTS (msg: "MISP e179 [tlp:white] Outgoing URL http|3a|//198.204.231.250/linux-x64"; flow:to_server,established; http.header; content:"198.204.231.250"; fast_pattern; nocase; http.uri; content:"/linux-x64"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4069691; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert http $HOME_NET any -> 198.204.231.250 $HTTP_PORTS (msg: "MISP e179 [tlp:white] Outgoing URL http|3a|//198.204.231.250/linux-x86"; flow:to_server,established; http.header; content:"198.204.231.250"; fast_pattern; nocase; http.uri; content:"/linux-x86"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4069701; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e179 [tlp:white] Outgoing URL https|3a|//dd.heheda.tk/i.jpg"; tls.sni; content:"dd.heheda.tk"; tag:session,600,seconds; classtype:trojan-activity; sid:4069711; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e179 [tlp:white] Outgoing URL https|3a|//dd.heheda.tk/i.sh"; tls.sni; content:"dd.heheda.tk"; tag:session,600,seconds; classtype:trojan-activity; sid:4069721; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e179 [tlp:white] Outgoing URL https|3a|//dd.heheda.tk/x86_64-static-linux-uclibc.jpg"; tls.sni; content:"dd.heheda.tk"; tag:session,600,seconds; classtype:trojan-activity; sid:4069731; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e179 [tlp:white] Outgoing URL https|3a|//dd.heheda.tk/i686-static-linux-uclibc.jpg"; tls.sni; content:"dd.heheda.tk"; tag:session,600,seconds; classtype:trojan-activity; sid:4069741; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e179 [tlp:white] Outgoing URL https|3a|//dd.cloudappconfig.com/i.jpg"; tls.sni; content:"dd.cloudappconfig.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4069751; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e179 [tlp:white] Outgoing URL https|3a|//dd.cloudappconfig.com/i.sh"; tls.sni; content:"dd.cloudappconfig.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4069761; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e179 [tlp:white] Outgoing URL https|3a|//dd.cloudappconfig.com/x86_64-static-linux-uclibc.jpg"; tls.sni; content:"dd.cloudappconfig.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4069771; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e179 [tlp:white] Outgoing URL https|3a|//dd.cloudappconfig.com/arm-static-linux-uclibcgnueabi.jpg"; tls.sni; content:"dd.cloudappconfig.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4069781; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e179 [tlp:white] Outgoing URL https|3a|//dd.cloudappconfig.com/i686-static-linux-uclibc.jpg"; tls.sni; content:"dd.cloudappconfig.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4069791; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e179 [tlp:white] Outgoing URL http|3a|//d.cloudappconfig.com/i686-w64-mingw32/Satan.exe"; flow:to_server,established; http.header; content:"d.cloudappconfig.com"; fast_pattern; nocase; http.uri; content:"/i686-w64-mingw32/Satan.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4069801; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e179 [tlp:white] Outgoing URL http|3a|//d.cloudappconfig.com/x86_64-static-linux-uclibc/Satan"; flow:to_server,established; http.header; content:"d.cloudappconfig.com"; fast_pattern; nocase; http.uri; content:"/x86_64-static-linux-uclibc/Satan"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4069811; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e179 [tlp:white] Outgoing URL http|3a|//d.cloudappconfig.com/i686-static-linux-uclibc/Satan"; flow:to_server,established; http.header; content:"d.cloudappconfig.com"; fast_pattern; nocase; http.uri; content:"/i686-static-linux-uclibc/Satan"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4069821; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e179 [tlp:white] Outgoing URL http|3a|//d.cloudappconfig.com/arm-static-linux-uclibcgnueabi/Satan"; flow:to_server,established; http.header; content:"d.cloudappconfig.com"; fast_pattern; nocase; http.uri; content:"/arm-static-linux-uclibcgnueabi/Satan"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4069831; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e179 [tlp:white] Outgoing URL https|3a|//d.cloudappconfig.com/mipsel-static-linux-uclibc/Satan"; tls.sni; content:"d.cloudappconfig.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4069841; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert dns any any -> any any (msg: "MISP e179 [tlp:white] Hostname d.heheda.tk"; dns.query; content:"d.heheda.tk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])d\.heheda\.tk$/i"; classtype:trojan-activity; sid:4069851; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e179 [tlp:white] Outgoing HTTP Hostname d.heheda.tk"; flow:to_server,established; http.header; content: "Host|3a| d.heheda.tk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])d\.heheda\.tk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4069852; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert dns any any -> any any (msg: "MISP e179 [tlp:white] Hostname dd.heheda.tk"; dns.query; content:"dd.heheda.tk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dd\.heheda\.tk$/i"; classtype:trojan-activity; sid:4069861; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e179 [tlp:white] Outgoing HTTP Hostname dd.heheda.tk"; flow:to_server,established; http.header; content: "Host|3a| dd.heheda.tk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dd\.heheda\.tk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4069862; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert dns any any -> any any (msg: "MISP e179 [tlp:white] Hostname c.heheda.tk"; dns.query; content:"c.heheda.tk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])c\.heheda\.tk$/i"; classtype:trojan-activity; sid:4069871; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e179 [tlp:white] Outgoing HTTP Hostname c.heheda.tk"; flow:to_server,established; http.header; content: "Host|3a| c.heheda.tk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])c\.heheda\.tk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4069872; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert dns any any -> any any (msg: "MISP e179 [tlp:white] Hostname d.cloudappconfig.com"; dns.query; content:"d.cloudappconfig.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])d\.cloudappconfig\.com$/i"; classtype:trojan-activity; sid:4069881; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e179 [tlp:white] Outgoing HTTP Hostname d.cloudappconfig.com"; flow:to_server,established; http.header; content: "Host|3a| d.cloudappconfig.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])d\.cloudappconfig\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4069882; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert dns any any -> any any (msg: "MISP e179 [tlp:white] Hostname dd.cloudappconfig.com"; dns.query; content:"dd.cloudappconfig.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dd\.cloudappconfig\.com$/i"; classtype:trojan-activity; sid:4069891; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e179 [tlp:white] Outgoing HTTP Hostname dd.cloudappconfig.com"; flow:to_server,established; http.header; content: "Host|3a| dd.cloudappconfig.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dd\.cloudappconfig\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4069892; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert dns any any -> any any (msg: "MISP e179 [tlp:white] Hostname c.cloudappconfig.com"; dns.query; content:"c.cloudappconfig.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])c\.cloudappconfig\.com$/i"; classtype:trojan-activity; sid:4069901; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e179 [tlp:white] Outgoing HTTP Hostname c.cloudappconfig.com"; flow:to_server,established; http.header; content: "Host|3a| c.cloudappconfig.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])c\.cloudappconfig\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4069902; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert dns any any -> any any (msg: "MISP e179 [tlp:white] Hostname f.cloudappconfig.com"; dns.query; content:"f.cloudappconfig.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])f\.cloudappconfig\.com$/i"; classtype:trojan-activity; sid:4069911; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e179 [tlp:white] Outgoing HTTP Hostname f.cloudappconfig.com"; flow:to_server,established; http.header; content: "Host|3a| f.cloudappconfig.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])f\.cloudappconfig\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4069912; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert dns any any -> any any (msg: "MISP e179 [tlp:white] Hostname t.cloudappconfig.com"; dns.query; content:"t.cloudappconfig.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])t\.cloudappconfig\.com$/i"; classtype:trojan-activity; sid:4069921; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e179 [tlp:white] Outgoing HTTP Hostname t.cloudappconfig.com"; flow:to_server,established; http.header; content: "Host|3a| t.cloudappconfig.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])t\.cloudappconfig\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4069922; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert dns any any -> any any (msg: "MISP e179 [tlp:white] Hostname v.cloudappconfig.com"; dns.query; content:"v.cloudappconfig.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])v\.cloudappconfig\.com$/i"; classtype:trojan-activity; sid:4069931; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e179 [tlp:white] Outgoing HTTP Hostname v.cloudappconfig.com"; flow:to_server,established; http.header; content: "Host|3a| v.cloudappconfig.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])v\.cloudappconfig\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4069932; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert dns any any -> any any (msg: "MISP e179 [tlp:white] Hostname img0.cloudappconfig.com"; dns.query; content:"img0.cloudappconfig.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])img0\.cloudappconfig\.com$/i"; classtype:trojan-activity; sid:4069941; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e179 [tlp:white] Outgoing HTTP Hostname img0.cloudappconfig.com"; flow:to_server,established; http.header; content: "Host|3a| img0.cloudappconfig.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])img0\.cloudappconfig\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4069942; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert dns any any -> any any (msg: "MISP e179 [tlp:white] Hostname img1.cloudappconfig.com"; dns.query; content:"img1.cloudappconfig.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])img1\.cloudappconfig\.com$/i"; classtype:trojan-activity; sid:4069951; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e179 [tlp:white] Outgoing HTTP Hostname img1.cloudappconfig.com"; flow:to_server,established; http.header; content: "Host|3a| img1.cloudappconfig.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])img1\.cloudappconfig\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4069952; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert dns any any -> any any (msg: "MISP e179 [tlp:white] Hostname img2.cloudappconfig.com"; dns.query; content:"img2.cloudappconfig.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])img2\.cloudappconfig\.com$/i"; classtype:trojan-activity; sid:4069961; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e179 [tlp:white] Outgoing HTTP Hostname img2.cloudappconfig.com"; flow:to_server,established; http.header; content: "Host|3a| img2.cloudappconfig.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])img2\.cloudappconfig\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4069962; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert ip $HOME_NET any -> 198.204.231.250 any (msg: "MISP e179 [tlp:white] Outgoing To IP: 198.204.231.250"; classtype:trojan-activity; sid:4069971; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert ip $HOME_NET any -> 104.238.151.101 any (msg: "MISP e179 [tlp:white] Outgoing To IP: 104.238.151.101"; classtype:trojan-activity; sid:4069981; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert ip $HOME_NET any -> 43.224.225.220 any (msg: "MISP e179 [tlp:white] Outgoing To IP: 43.224.225.220"; classtype:trojan-activity; sid:4069991; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/179;) alert ip $HOME_NET any -> 109.230.199.227 any (msg: "MISP e180 [misp-galaxy:mitre-enterprise-attack-attack-pattern="Data Encrypted - T1022",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="DLL Search Order Hijacking - T1038",misp-galaxy:mitre-enterprise-attack-attack-pattern="Code Signing - T1116",misp-galaxy:mitre-enterprise-attack-attack-pattern="Execution through Module Load - T1129",misp-galaxy:mitre-enterprise-attack-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-enterprise-attack-attack-pattern="Execution through API - T1106",misp-galaxy:mitre-enterprise-attack-attack-pattern="File Deletion - T1107",misp-galaxy:mitre-enterprise-attack-attack-pattern="Hooking - T1179",tlp:white] Outgoing To IP: 109.230.199.227"; classtype:trojan-activity; sid:4070041; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/180;) alert dns any any -> any any (msg: "MISP e181 [tlp:white] Domain volusion-cdn.com"; dns.query; content:"volusion-cdn.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])volusion\-cdn\.com$/i"; classtype:trojan-activity; sid:4070101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/181;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e181 [tlp:white] Outgoing HTTP Domain volusion-cdn.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"volusion-cdn.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])volusion\-cdn\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4070102; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/181;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e181 [tlp:white] Outgoing URL https|3a|//volusion-cdn.com/analytics/beacon"; tls.sni; content:"volusion-cdn.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4070111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/181;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e181 [tlp:white] Outgoing URL https|3a|//storage.googleapis.com/volusionapi/resources.js"; tls.sni; content:"storage.googleapis.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4070121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/181;) alert ip $HOME_NET any -> 185.172.110.224 993 (msg: "MISP e183 [tlp:white] Outgoing To IP: 185.172.110.224|993"; classtype:trojan-activity; sid:4070231; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/183;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e183 [tlp:white] Outgoing URL 185.172.110.224/arm7"; flow:to_server,established; http.uri; content:"185.172.110.224/arm7"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4070241; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/183;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e183 [tlp:white] Outgoing URL 185.172.110.224/mips"; flow:to_server,established; http.uri; content:"185.172.110.224/mips"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4070251; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/183;) alert ip $HOME_NET any -> 185.254.188.11 any (msg: "MISP e184 [tlp:white] Outgoing To IP: 185.254.188.11"; classtype:trojan-activity; sid:4070271; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/184;) alert dns any any -> any any (msg: "MISP e184 [tlp:white] Hostname techsupport.org.ru"; dns.query; content:"techsupport.org.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])techsupport\.org\.ru$/i"; classtype:trojan-activity; sid:4070281; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/184;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e184 [tlp:white] Outgoing HTTP Hostname techsupport.org.ru"; flow:to_server,established; http.header; content: "Host|3a| techsupport.org.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])techsupport\.org\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4070282; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/184;) alert dns any any -> any any (msg: "MISP e184 [tlp:white] Hostname www.techsupport.org.ru"; dns.query; content:"www.techsupport.org.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.techsupport\.org\.ru$/i"; classtype:trojan-activity; sid:4070291; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/184;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e184 [tlp:white] Outgoing HTTP Hostname www.techsupport.org.ru"; flow:to_server,established; http.header; content: "Host|3a| www.techsupport.org.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.techsupport\.org\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4070292; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/184;) alert dns any any -> any any (msg: "MISP e184 [tlp:white] Domain techsupportlap.icu"; dns.query; content:"techsupportlap.icu"; nocase; pcre: "/(^|[^A-Za-z0-9-])techsupportlap\.icu$/i"; classtype:trojan-activity; sid:4070301; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/184;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e184 [tlp:white] Outgoing HTTP Domain techsupportlap.icu"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"techsupportlap.icu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])techsupportlap\.icu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4070302; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/184;) alert dns any any -> any any (msg: "MISP e184 [tlp:white] Domain techsupportnet.icu"; dns.query; content:"techsupportnet.icu"; nocase; pcre: "/(^|[^A-Za-z0-9-])techsupportnet\.icu$/i"; classtype:trojan-activity; sid:4070311; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/184;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e184 [tlp:white] Outgoing HTTP Domain techsupportnet.icu"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"techsupportnet.icu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])techsupportnet\.icu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4070312; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/184;) alert dns any any -> any any (msg: "MISP e184 [tlp:white] Domain jduuyerm.website"; dns.query; content:"jduuyerm.website"; nocase; pcre: "/(^|[^A-Za-z0-9-])jduuyerm\.website$/i"; classtype:trojan-activity; sid:4070321; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/184;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e184 [tlp:white] Outgoing HTTP Domain jduuyerm.website"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jduuyerm.website"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jduuyerm\.website[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4070322; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/184;) alert ip $HOME_NET any -> 185.212.128.189 any (msg: "MISP e184 [tlp:white] Outgoing To IP: 185.212.128.189"; classtype:trojan-activity; sid:4070331; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/184;) alert dns any any -> any any (msg: "MISP e184 [tlp:white] Hostname aefawexxr54xrtrt.softether.net"; dns.query; content:"aefawexxr54xrtrt.softether.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])aefawexxr54xrtrt\.softether\.net$/i"; classtype:trojan-activity; sid:4070341; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/184;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e184 [tlp:white] Outgoing HTTP Hostname aefawexxr54xrtrt.softether.net"; flow:to_server,established; http.header; content: "Host|3a| aefawexxr54xrtrt.softether.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])aefawexxr54xrtrt\.softether\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4070342; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/184;) alert ip $HOME_NET any -> 3.95.71.123 3000 (msg: "MISP e187 [tlp:white] Outgoing To IP: 3.95.71.123|3000"; classtype:trojan-activity; sid:4071851; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/187;) alert ip $HOME_NET any -> 18.206.105.66 3000 (msg: "MISP e187 [tlp:white] Outgoing To IP: 18.206.105.66|3000"; classtype:trojan-activity; sid:4071861; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/187;) alert ip $HOME_NET any -> 40.114.109.69 3000 (msg: "MISP e187 [tlp:white] Outgoing To IP: 40.114.109.69|3000"; classtype:trojan-activity; sid:4071871; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/187;) alert ip $HOME_NET any -> 52.21.5.241 2000 (msg: "MISP e187 [tlp:white] Outgoing To IP: 52.21.5.241|2000"; classtype:trojan-activity; sid:4071881; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/187;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e187 [tlp:white] Outgoing URL http|3a|//gooogle.press/"; flow:to_server,established; http.header; content:"gooogle.press"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4071891; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/187;) alert ip $HOME_NET any -> 62.149.158.252 any (msg: "MISP e188 [tlp:white] Outgoing To IP: 62.149.158.252"; classtype:trojan-activity; sid:4071911; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/188;) alert ip $HOME_NET any -> 177.34.32.109 any (msg: "MISP e188 [tlp:white] Outgoing To IP: 177.34.32.109"; classtype:trojan-activity; sid:4071921; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/188;) alert ip $HOME_NET any -> 2.138.111.86 any (msg: "MISP e188 [tlp:white] Outgoing To IP: 2.138.111.86"; classtype:trojan-activity; sid:4071931; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/188;) alert ip $HOME_NET any -> 122.172.96.18 any (msg: "MISP e188 [tlp:white] Outgoing To IP: 122.172.96.18"; classtype:trojan-activity; sid:4071941; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/188;) alert ip $HOME_NET any -> 69.93.243.5 any (msg: "MISP e188 [tlp:white] Outgoing To IP: 69.93.243.5"; classtype:trojan-activity; sid:4071951; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/188;) alert ip $HOME_NET any -> 200.43.183.102 any (msg: "MISP e188 [tlp:white] Outgoing To IP: 200.43.183.102"; classtype:trojan-activity; sid:4071961; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/188;) alert ip $HOME_NET any -> 79.124.76.30 any (msg: "MISP e188 [tlp:white] Outgoing To IP: 79.124.76.30"; classtype:trojan-activity; sid:4071971; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/188;) alert ip $HOME_NET any -> 188.125.166.114 any (msg: "MISP e188 [tlp:white] Outgoing To IP: 188.125.166.114"; classtype:trojan-activity; sid:4071981; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/188;) alert ip $HOME_NET any -> 37.59.52.64 any (msg: "MISP e188 [tlp:white] Outgoing To IP: 37.59.52.64"; classtype:trojan-activity; sid:4071991; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/188;) alert ip $HOME_NET any -> 50.28.35.36 any (msg: "MISP e188 [tlp:white] Outgoing To IP: 50.28.35.36"; classtype:trojan-activity; sid:4072001; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/188;) alert ip $HOME_NET any -> 154.70.39.158 any (msg: "MISP e188 [tlp:white] Outgoing To IP: 154.70.39.158"; classtype:trojan-activity; sid:4072011; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/188;) alert ip $HOME_NET any -> 108.29.37.11 any (msg: "MISP e188 [tlp:white] Outgoing To IP: 108.29.37.11"; classtype:trojan-activity; sid:4072021; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/188;) alert ip $HOME_NET any -> 65.112.218.2 any (msg: "MISP e188 [tlp:white] Outgoing To IP: 65.112.218.2"; classtype:trojan-activity; sid:4072031; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/188;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e188 [tlp:white] Source Email Address: info@antonioscognamiglio.it"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"info@antonioscognamiglio.it"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4072201; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/188;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e188 [tlp:white] Source Email Address: info@golfprogroup.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"info@golfprogroup.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4072211; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/188;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e188 [tlp:white] Source Email Address: cariola72@teletu.it"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"cariola72@teletu.it"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4072221; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/188;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e188 [tlp:white] Source Email Address: info@melvale.co.uk"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"info@melvale.co.uk"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4072231; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/188;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e188 [tlp:white] Source Email Address: fabianurquiza@correo.dalvear.com.ar"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"fabianurquiza@correo.dalvear.com.ar"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4072241; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/188;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e188 [tlp:white] Source Email Address: web1587p16@mail.flw-buero.at"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"web1587p16@mail.flw-buero.at"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4072251; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/188;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e188 [tlp:white] Source Email Address: farid@abc-telecom.az"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"farid@abc-telecom.az"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4072261; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/188;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e188 [tlp:white] Source Email Address: bounce@bestvaluestore.org"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"bounce@bestvaluestore.org"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4072271; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/188;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e188 [tlp:white] Source Email Address: admin@sevpazarlama.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"admin@sevpazarlama.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4072281; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/188;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e188 [tlp:white] Source Email Address: faturamento@sudestecaminhoes.com.br"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"faturamento@sudestecaminhoes.com.br"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4072291; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/188;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e188 [tlp:white] Source Email Address: pranab@pdrassocs.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"pranab@pdrassocs.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4072301; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/188;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e188 [tlp:white] Source Email Address: tom@blackburnpowerltd.co.uk"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"tom@blackburnpowerltd.co.uk"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4072311; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/188;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e188 [tlp:white] Source Email Address: yportocarrero@elevenca.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"yportocarrero@elevenca.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4072321; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/188;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e188 [tlp:white] Source Email Address: s.palani@itifsl.co.in"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"s.palani@itifsl.co.in"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4072331; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/188;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e188 [tlp:white] Source Email Address: faber@imaba.nl"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"faber@imaba.nl"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4072341; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/188;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e188 [tlp:white] Source Email Address: admin@belpay.by"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"admin@belpay.by"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4072351; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/188;) alert ip $HOME_NET any -> 162.241.24.101 any (msg: "MISP e189 [tlp:white] Outgoing To IP: 162.241.24.101"; classtype:trojan-activity; sid:4072561; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/189;) alert dns any any -> any any (msg: "MISP e189 [tlp:white] Hostname www.tinystudiocollective.com"; dns.query; content:"www.tinystudiocollective.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.tinystudiocollective\.com$/i"; classtype:trojan-activity; sid:4072571; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/189;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e189 [tlp:white] Outgoing HTTP Hostname www.tinystudiocollective.com"; flow:to_server,established; http.header; content: "Host|3a| www.tinystudiocollective.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.tinystudiocollective\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4072572; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/189;) alert ip $HOME_NET any -> 170.238.117.187 8082 (msg: "MISP e189 [tlp:white] Outgoing To IP: 170.238.117.187|8082"; classtype:trojan-activity; sid:4072581; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/189;) alert ip $HOME_NET any -> 131.161.253.190 449 (msg: "MISP e189 [tlp:white] Outgoing To IP: 131.161.253.190|449"; classtype:trojan-activity; sid:4072591; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/189;) alert ip $HOME_NET any -> 181.129.104.139 449 (msg: "MISP e189 [tlp:white] Outgoing To IP: 181.129.104.139|449"; classtype:trojan-activity; sid:4072601; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/189;) alert ip $HOME_NET any -> 185.14.28.107 447 (msg: "MISP e189 [tlp:white] Outgoing To IP: 185.14.28.107|447"; classtype:trojan-activity; sid:4072611; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/189;) alert ip $HOME_NET any -> 190.214.13.2 449 (msg: "MISP e189 [tlp:white] Outgoing To IP: 190.214.13.2|449"; classtype:trojan-activity; sid:4072621; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/189;) alert ip $HOME_NET any -> 195.123.245.127 443 (msg: "MISP e189 [tlp:white] Outgoing To IP: 195.123.245.127|443"; classtype:trojan-activity; sid:4072631; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/189;) alert ip $HOME_NET any -> 23.202.231.166 448 (msg: "MISP e189 [tlp:white] Outgoing To IP: 23.202.231.166|448"; classtype:trojan-activity; sid:4072641; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/189;) alert ip $HOME_NET any -> 23.217.138.107 448 (msg: "MISP e189 [tlp:white] Outgoing To IP: 23.217.138.107|448"; classtype:trojan-activity; sid:4072651; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/189;) alert dns any any -> any any (msg: "MISP e190 [tlp:white] Domain ipsoftwarelabs.com"; dns.query; content:"ipsoftwarelabs.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ipsoftwarelabs\.com$/i"; classtype:trojan-activity; sid:4072671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/190;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e190 [tlp:white] Outgoing HTTP Domain ipsoftwarelabs.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ipsoftwarelabs.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ipsoftwarelabs\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4072672; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/190;) alert dns any any -> any any (msg: "MISP e190 [tlp:white] Domain toshibadrive.com"; dns.query; content:"toshibadrive.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])toshibadrive\.com$/i"; classtype:trojan-activity; sid:4072681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/190;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e190 [tlp:white] Outgoing HTTP Domain toshibadrive.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"toshibadrive.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])toshibadrive\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4072682; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/190;) alert dns any any -> any any (msg: "MISP e190 [tlp:white] Domain strust.club"; dns.query; content:"strust.club"; nocase; pcre: "/(^|[^A-Za-z0-9-])strust\.club$/i"; classtype:trojan-activity; sid:4072691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/190;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e190 [tlp:white] Outgoing HTTP Domain strust.club"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"strust.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])strust\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4072692; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/190;) alert dns any any -> any any (msg: "MISP e190 [tlp:white] Domain svchosts.com"; dns.query; content:"svchosts.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])svchosts\.com$/i"; classtype:trojan-activity; sid:4072701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/190;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e190 [tlp:white] Outgoing HTTP Domain svchosts.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"svchosts.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])svchosts\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4072702; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/190;) alert dns any any -> any any (msg: "MISP e190 [tlp:white] Domain svrhosts.com"; dns.query; content:"svrhosts.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])svrhosts\.com$/i"; classtype:trojan-activity; sid:4072711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/190;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e190 [tlp:white] Outgoing HTTP Domain svrhosts.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"svrhosts.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])svrhosts\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4072712; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/190;) alert ip $HOME_NET any -> 116.93.154.250 any (msg: "MISP e190 [tlp:white] Outgoing To IP: 116.93.154.250"; classtype:trojan-activity; sid:4072721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/190;) alert dns any any -> any any (msg: "MISP e190 [tlp:white] Domain forexdualsystem.com"; dns.query; content:"forexdualsystem.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])forexdualsystem\.com$/i"; classtype:trojan-activity; sid:4072731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/190;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e190 [tlp:white] Outgoing HTTP Domain forexdualsystem.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"forexdualsystem.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])forexdualsystem\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4072732; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/190;) alert dns any any -> any any (msg: "MISP e190 [tlp:white] Domain apple-net.com"; dns.query; content:"apple-net.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])apple\-net\.com$/i"; classtype:trojan-activity; sid:4072741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/190;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e190 [tlp:white] Outgoing HTTP Domain apple-net.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"apple-net.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])apple\-net\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4072742; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/190;) alert dns any any -> any any (msg: "MISP e190 [tlp:white] Domain lionforcesystems.com"; dns.query; content:"lionforcesystems.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])lionforcesystems\.com$/i"; classtype:trojan-activity; sid:4072751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/190;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e190 [tlp:white] Outgoing HTTP Domain lionforcesystems.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lionforcesystems.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lionforcesystems\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4072752; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/190;) alert dns any any -> any any (msg: "MISP e190 [tlp:white] Domain wbemsystem.com"; dns.query; content:"wbemsystem.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])wbemsystem\.com$/i"; classtype:trojan-activity; sid:4072761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/190;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e190 [tlp:white] Outgoing HTTP Domain wbemsystem.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wbemsystem.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wbemsystem\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4072762; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/190;) alert dns any any -> any any (msg: "MISP e191 [tlp:white] Domain protonvpn.store"; dns.query; content:"protonvpn.store"; nocase; pcre: "/(^|[^A-Za-z0-9-])protonvpn\.store$/i"; classtype:trojan-activity; sid:4073071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/191;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e191 [tlp:white] Outgoing HTTP Domain protonvpn.store"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"protonvpn.store"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])protonvpn\.store[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4073072; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/191;) alert http $HOME_NET any -> 80.82.77.84 $HTTP_PORTS (msg: "MISP e192 [tlp:white] Outgoing URL http|3a|//80.82.77.84/.dmg"; flow:to_server,established; http.header; content:"80.82.77.84"; fast_pattern; nocase; http.uri; content:"/.dmg"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4073191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/192;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e192 [tlp:white] Outgoing URL http|3a|//sci-hub.tv"; flow:to_server,established; http.header; content:"sci-hub.tv"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4073201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/192;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e192 [tlp:white] Outgoing URL http|3a|//kodak-world.com"; flow:to_server,established; http.header; content:"kodak-world.com"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4073211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/192;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e192 [tlp:white] Outgoing URL http|3a|//lkysearchds3822-a.akamaihd.net"; flow:to_server,established; http.header; content:"lkysearchds3822-a.akamaihd.net"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4073221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/192;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e192 [tlp:white] Outgoing URL http|3a|//api.typicalarchive.com"; flow:to_server,established; http.header; content:"api.typicalarchive.com"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4073231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/192;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e192 [tlp:white] Outgoing URL http|3a|//api.entrycache.com"; flow:to_server,established; http.header; content:"api.entrycache.com"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4073241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/192;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e192 [tlp:white] Outgoing URL http|3a|//api.macsmoments.com"; flow:to_server,established; http.header; content:"api.macsmoments.com"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4073251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/192;) alert ip $HOME_NET any -> 45.134.1.180 any (msg: "MISP e193 [tlp:white] Outgoing To IP: 45.134.1.180"; classtype:trojan-activity; sid:4073451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/193;) alert ip $HOME_NET any -> 45.83.137.83 any (msg: "MISP e193 [tlp:white] Outgoing To IP: 45.83.137.83"; classtype:trojan-activity; sid:4073461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/193;) alert dns any any -> any any (msg: "MISP e193 [tlp:white] Hostname app.poorgoddaay.com"; dns.query; content:"app.poorgoddaay.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])app\.poorgoddaay\.com$/i"; classtype:trojan-activity; sid:4073471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/193;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e193 [tlp:white] Outgoing HTTP Hostname app.poorgoddaay.com"; flow:to_server,established; http.header; content: "Host|3a| app.poorgoddaay.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])app\.poorgoddaay\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4073472; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/193;) alert dns any any -> any any (msg: "MISP e193 [tlp:white] Hostname movie.poorgoddaay.com"; dns.query; content:"movie.poorgoddaay.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])movie\.poorgoddaay\.com$/i"; classtype:trojan-activity; sid:4073481; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/193;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e193 [tlp:white] Outgoing HTTP Hostname movie.poorgoddaay.com"; flow:to_server,established; http.header; content: "Host|3a| movie.poorgoddaay.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])movie\.poorgoddaay\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4073482; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/193;) alert dns any any -> any any (msg: "MISP e193 [tlp:white] Hostname news.poorgoddaay.com"; dns.query; content:"news.poorgoddaay.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])news\.poorgoddaay\.com$/i"; classtype:trojan-activity; sid:4073491; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/193;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e193 [tlp:white] Outgoing HTTP Hostname news.poorgoddaay.com"; flow:to_server,established; http.header; content: "Host|3a| news.poorgoddaay.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])news\.poorgoddaay\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4073492; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/193;) alert dns any any -> any any (msg: "MISP e193 [tlp:white] Hostname appledaily.googlephoto.vip"; dns.query; content:"appledaily.googlephoto.vip"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])appledaily\.googlephoto\.vip$/i"; classtype:trojan-activity; sid:4073501; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/193;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e193 [tlp:white] Outgoing HTTP Hostname appledaily.googlephoto.vip"; flow:to_server,established; http.header; content: "Host|3a| appledaily.googlephoto.vip"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])appledaily\.googlephoto\.vip[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4073502; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/193;) alert dns any any -> any any (msg: "MISP e193 [tlp:white] Hostname www.googlephoto.vip"; dns.query; content:"www.googlephoto.vip"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.googlephoto\.vip$/i"; classtype:trojan-activity; sid:4073511; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/193;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e193 [tlp:white] Outgoing HTTP Hostname www.googlephoto.vip"; flow:to_server,established; http.header; content: "Host|3a| www.googlephoto.vip"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.googlephoto\.vip[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4073512; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/193;) alert dns any any -> any any (msg: "MISP e193 [tlp:white] Hostname app.hkrevolution.club"; dns.query; content:"app.hkrevolution.club"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])app\.hkrevolution\.club$/i"; classtype:trojan-activity; sid:4073521; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/193;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e193 [tlp:white] Outgoing HTTP Hostname app.hkrevolution.club"; flow:to_server,established; http.header; content: "Host|3a| app.hkrevolution.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])app\.hkrevolution\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4073522; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/193;) alert dns any any -> any any (msg: "MISP e193 [tlp:white] Hostname news2.hkrevolution.club"; dns.query; content:"news2.hkrevolution.club"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])news2\.hkrevolution\.club$/i"; classtype:trojan-activity; sid:4073531; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/193;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e193 [tlp:white] Outgoing HTTP Hostname news2.hkrevolution.club"; flow:to_server,established; http.header; content: "Host|3a| news2.hkrevolution.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])news2\.hkrevolution\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4073532; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/193;) alert dns any any -> any any (msg: "MISP e193 [tlp:white] Hostname svr.hkrevolution.club"; dns.query; content:"svr.hkrevolution.club"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])svr\.hkrevolution\.club$/i"; classtype:trojan-activity; sid:4073541; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/193;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e193 [tlp:white] Outgoing HTTP Hostname svr.hkrevolution.club"; flow:to_server,established; http.header; content: "Host|3a| svr.hkrevolution.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])svr\.hkrevolution\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4073542; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/193;) alert dns any any -> any any (msg: "MISP e193 [tlp:white] Hostname news.hkrevolution.club"; dns.query; content:"news.hkrevolution.club"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])news\.hkrevolution\.club$/i"; classtype:trojan-activity; sid:4073551; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/193;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e193 [tlp:white] Outgoing HTTP Hostname news.hkrevolution.club"; flow:to_server,established; http.header; content: "Host|3a| news.hkrevolution.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])news\.hkrevolution\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4073552; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/193;) alert dns any any -> any any (msg: "MISP e193 [tlp:white] Hostname www.facebooktoday.cc"; dns.query; content:"www.facebooktoday.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.facebooktoday\.cc$/i"; classtype:trojan-activity; sid:4073561; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/193;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e193 [tlp:white] Outgoing HTTP Hostname www.facebooktoday.cc"; flow:to_server,established; http.header; content: "Host|3a| www.facebooktoday.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.facebooktoday\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4073562; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/193;) alert dns any any -> any any (msg: "MISP e193 [tlp:white] Hostname news.hkrevolt.com"; dns.query; content:"news.hkrevolt.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])news\.hkrevolt\.com$/i"; classtype:trojan-activity; sid:4073571; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/193;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e193 [tlp:white] Outgoing HTTP Hostname news.hkrevolt.com"; flow:to_server,established; http.header; content: "Host|3a| news.hkrevolt.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])news\.hkrevolt\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4073572; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/193;) alert dns any any -> any any (msg: "MISP e193 [tlp:white] Hostname www.messager.cloud"; dns.query; content:"www.messager.cloud"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.messager\.cloud$/i"; classtype:trojan-activity; sid:4073581; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/193;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e193 [tlp:white] Outgoing HTTP Hostname www.messager.cloud"; flow:to_server,established; http.header; content: "Host|3a| www.messager.cloud"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.messager\.cloud[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4073582; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/193;) alert ip $HOME_NET any -> 66.42.98.220 any (msg: "MISP e194 [tlp:white] Outgoing To IP: 66.42.98.220"; classtype:trojan-activity; sid:4073611; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/194;) alert ip $HOME_NET any -> 91.208.184.78 any (msg: "MISP e194 [tlp:white] Outgoing To IP: 91.208.184.78"; classtype:trojan-activity; sid:4073621; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/194;) alert ip $HOME_NET any -> 74.82.201.8 any (msg: "MISP e194 [tlp:white] Outgoing To IP: 74.82.201.8"; classtype:trojan-activity; sid:4073631; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/194;) alert dns any any -> any any (msg: "MISP e194 [tlp:white] Hostname exchange.dumb1.com"; dns.query; content:"exchange.dumb1.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])exchange\.dumb1\.com$/i"; classtype:trojan-activity; sid:4073641; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/194;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e194 [tlp:white] Outgoing HTTP Hostname exchange.dumb1.com"; flow:to_server,established; http.header; content: "Host|3a| exchange.dumb1.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])exchange\.dumb1\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4073642; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/194;) alert dns any any -> any any (msg: "MISP e195 [tlp:white] Hostname last.tax-lab.net"; dns.query; content:"last.tax-lab.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])last\.tax\-lab\.net$/i"; classtype:trojan-activity; sid:4073731; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/195;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e195 [tlp:white] Outgoing HTTP Hostname last.tax-lab.net"; flow:to_server,established; http.header; content: "Host|3a| last.tax-lab.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])last\.tax\-lab\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4073732; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/195;) alert dns any any -> any any (msg: "MISP e195 [tlp:white] Hostname cnnmedia.servepics.com"; dns.query; content:"cnnmedia.servepics.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cnnmedia\.servepics\.com$/i"; classtype:trojan-activity; sid:4073741; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/195;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e195 [tlp:white] Outgoing HTTP Hostname cnnmedia.servepics.com"; flow:to_server,established; http.header; content: "Host|3a| cnnmedia.servepics.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cnnmedia\.servepics\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4073742; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/195;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e196 [tlp:white] Outgoing URL upiserversys1212.com/rl.php"; flow:to_server,established; http.uri; content:"upiserversys1212.com/rl.php"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4073801; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/196;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e196 [tlp:white] Outgoing URL 37.59.87.172/page/view.php"; flow:to_server,established; http.uri; content:"37.59.87.172/page/view.php"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4073811; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/196;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e196 [tlp:white] Outgoing URL 80.255.3.86/page/view.php"; flow:to_server,established; http.uri; content:"80.255.3.86/page/view.php"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4073821; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/196;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e197 [tlp:white] Outgoing URL https|3a|//bitbucket.org/example123321/download/downloads/foldingathomeapp.exe"; tls.sni; content:"bitbucket.org"; tag:session,600,seconds; classtype:trojan-activity; sid:4073841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/197;) alert ip $HOME_NET any -> 66.206.18.186 any (msg: "MISP e197 [tlp:white] Outgoing To IP: 66.206.18.186"; classtype:trojan-activity; sid:4073871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/197;) alert dns any any -> any any (msg: "MISP e203 [tlp:white,misp-galaxy:mitre-intrusion-set="OilRig",misp-galaxy:mitre-enterprise-attack-intrusion-set="OilRig - G0049"] Domain rdmsi.com"; dns.query; content:"rdmsi.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])rdmsi\.com$/i"; classtype:trojan-activity; sid:4075501; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/203;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e203 [tlp:white,misp-galaxy:mitre-intrusion-set="OilRig",misp-galaxy:mitre-enterprise-attack-intrusion-set="OilRig - G0049"] Outgoing HTTP Domain rdmsi.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"rdmsi.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])rdmsi\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4075502; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/203;) alert dns any any -> any any (msg: "MISP e203 [tlp:white,misp-galaxy:mitre-intrusion-set="OilRig",misp-galaxy:mitre-enterprise-attack-intrusion-set="OilRig - G0049"] Domain rsshay.com"; dns.query; content:"rsshay.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])rsshay\.com$/i"; classtype:trojan-activity; sid:4075511; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/203;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e203 [tlp:white,misp-galaxy:mitre-intrusion-set="OilRig",misp-galaxy:mitre-enterprise-attack-intrusion-set="OilRig - G0049"] Outgoing HTTP Domain rsshay.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"rsshay.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])rsshay\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4075512; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/203;) alert dns any any -> any any (msg: "MISP e203 [tlp:white,misp-galaxy:mitre-intrusion-set="OilRig",misp-galaxy:mitre-enterprise-attack-intrusion-set="OilRig - G0049"] Domain sharjatv.com"; dns.query; content:"sharjatv.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sharjatv\.com$/i"; classtype:trojan-activity; sid:4075521; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/203;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e203 [tlp:white,misp-galaxy:mitre-intrusion-set="OilRig",misp-galaxy:mitre-enterprise-attack-intrusion-set="OilRig - G0049"] Outgoing HTTP Domain sharjatv.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sharjatv.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sharjatv\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4075522; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/203;) alert dns any any -> any any (msg: "MISP e203 [tlp:white,misp-galaxy:mitre-intrusion-set="OilRig",misp-galaxy:mitre-enterprise-attack-intrusion-set="OilRig - G0049"] Domain wwmal.com"; dns.query; content:"wwmal.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])wwmal\.com$/i"; classtype:trojan-activity; sid:4075531; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/203;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e203 [tlp:white,misp-galaxy:mitre-intrusion-set="OilRig",misp-galaxy:mitre-enterprise-attack-intrusion-set="OilRig - G0049"] Outgoing HTTP Domain wwmal.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wwmal.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wwmal\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4075532; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/203;) alert dns any any -> any any (msg: "MISP e203 [tlp:white,misp-galaxy:mitre-intrusion-set="OilRig",misp-galaxy:mitre-enterprise-attack-intrusion-set="OilRig - G0049"] Domain allsecpackupdater.com"; dns.query; content:"allsecpackupdater.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])allsecpackupdater\.com$/i"; classtype:trojan-activity; sid:4075541; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/203;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e203 [tlp:white,misp-galaxy:mitre-intrusion-set="OilRig",misp-galaxy:mitre-enterprise-attack-intrusion-set="OilRig - G0049"] Outgoing HTTP Domain allsecpackupdater.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"allsecpackupdater.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])allsecpackupdater\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4075542; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/203;) alert dns any any -> any any (msg: "MISP e203 [tlp:white,misp-galaxy:mitre-intrusion-set="OilRig",misp-galaxy:mitre-enterprise-attack-intrusion-set="OilRig - G0049"] Domain tacsent.com"; dns.query; content:"tacsent.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])tacsent\.com$/i"; classtype:trojan-activity; sid:4075551; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/203;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e203 [tlp:white,misp-galaxy:mitre-intrusion-set="OilRig",misp-galaxy:mitre-enterprise-attack-intrusion-set="OilRig - G0049"] Outgoing HTTP Domain tacsent.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tacsent.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tacsent\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4075552; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/203;) alert dns any any -> any any (msg: "MISP e203 [tlp:white,misp-galaxy:mitre-intrusion-set="OilRig",misp-galaxy:mitre-enterprise-attack-intrusion-set="OilRig - G0049"] Domain acrlee.com"; dns.query; content:"acrlee.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])acrlee\.com$/i"; classtype:trojan-activity; sid:4075561; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/203;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e203 [tlp:white,misp-galaxy:mitre-intrusion-set="OilRig",misp-galaxy:mitre-enterprise-attack-intrusion-set="OilRig - G0049"] Outgoing HTTP Domain acrlee.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"acrlee.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])acrlee\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4075562; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/203;) alert dns any any -> any any (msg: "MISP e203 [tlp:white,misp-galaxy:mitre-intrusion-set="OilRig",misp-galaxy:mitre-enterprise-attack-intrusion-set="OilRig - G0049"] Domain kopilkaorukov.com"; dns.query; content:"kopilkaorukov.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])kopilkaorukov\.com$/i"; classtype:trojan-activity; sid:4075571; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/203;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e203 [tlp:white,misp-galaxy:mitre-intrusion-set="OilRig",misp-galaxy:mitre-enterprise-attack-intrusion-set="OilRig - G0049"] Outgoing HTTP Domain kopilkaorukov.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kopilkaorukov.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kopilkaorukov\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4075572; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/203;) alert dns any any -> any any (msg: "MISP e203 [tlp:white,misp-galaxy:mitre-intrusion-set="OilRig",misp-galaxy:mitre-enterprise-attack-intrusion-set="OilRig - G0049"] Hostname digi.shanx.icu"; dns.query; content:"digi.shanx.icu"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])digi\.shanx\.icu$/i"; classtype:trojan-activity; sid:4075581; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/203;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e203 [tlp:white,misp-galaxy:mitre-intrusion-set="OilRig",misp-galaxy:mitre-enterprise-attack-intrusion-set="OilRig - G0049"] Outgoing HTTP Hostname digi.shanx.icu"; flow:to_server,established; http.header; content: "Host|3a| digi.shanx.icu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])digi\.shanx\.icu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4075582; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/203;) alert dns any any -> any any (msg: "MISP e203 [tlp:white,misp-galaxy:mitre-intrusion-set="OilRig",misp-galaxy:mitre-enterprise-attack-intrusion-set="OilRig - G0049"] Domain tprs-servers.eu"; dns.query; content:"tprs-servers.eu"; nocase; pcre: "/(^|[^A-Za-z0-9-])tprs\-servers\.eu$/i"; classtype:trojan-activity; sid:4075591; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/203;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e203 [tlp:white,misp-galaxy:mitre-intrusion-set="OilRig",misp-galaxy:mitre-enterprise-attack-intrusion-set="OilRig - G0049"] Outgoing HTTP Domain tprs-servers.eu"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tprs-servers.eu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tprs\-servers\.eu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4075592; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/203;) alert dns any any -> any any (msg: "MISP e203 [tlp:white,misp-galaxy:mitre-intrusion-set="OilRig",misp-galaxy:mitre-enterprise-attack-intrusion-set="OilRig - G0049"] Domain oudax.com"; dns.query; content:"oudax.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])oudax\.com$/i"; classtype:trojan-activity; sid:4075601; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/203;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e203 [tlp:white,misp-galaxy:mitre-intrusion-set="OilRig",misp-galaxy:mitre-enterprise-attack-intrusion-set="OilRig - G0049"] Outgoing HTTP Domain oudax.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"oudax.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])oudax\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4075602; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/203;) alert dns any any -> any any (msg: "MISP e203 [tlp:white,misp-galaxy:mitre-intrusion-set="OilRig",misp-galaxy:mitre-enterprise-attack-intrusion-set="OilRig - G0049"] Domain kizlarsoroyur.com"; dns.query; content:"kizlarsoroyur.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])kizlarsoroyur\.com$/i"; classtype:trojan-activity; sid:4075611; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/203;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e203 [tlp:white,misp-galaxy:mitre-intrusion-set="OilRig",misp-galaxy:mitre-enterprise-attack-intrusion-set="OilRig - G0049"] Outgoing HTTP Domain kizlarsoroyur.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kizlarsoroyur.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kizlarsoroyur\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4075612; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/203;) alert dns any any -> any any (msg: "MISP e203 [tlp:white,misp-galaxy:mitre-intrusion-set="OilRig",misp-galaxy:mitre-enterprise-attack-intrusion-set="OilRig - G0049"] Domain intelligent-finance.site"; dns.query; content:"intelligent-finance.site"; nocase; pcre: "/(^|[^A-Za-z0-9-])intelligent\-finance\.site$/i"; classtype:trojan-activity; sid:4075621; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/203;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e203 [tlp:white,misp-galaxy:mitre-intrusion-set="OilRig",misp-galaxy:mitre-enterprise-attack-intrusion-set="OilRig - G0049"] Outgoing HTTP Domain intelligent-finance.site"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"intelligent-finance.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])intelligent\-finance\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4075622; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/203;) alert dns any any -> any any (msg: "MISP e204 [tlp:white] Domain ed9fb4.com"; dns.query; content:"ed9fb4.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ed9fb4\.com$/i"; classtype:trojan-activity; sid:4075901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/204;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e204 [tlp:white] Outgoing HTTP Domain ed9fb4.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ed9fb4.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ed9fb4\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4075902; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/204;) alert dns any any -> any any (msg: "MISP e204 [tlp:white] Domain ch4ck0j.com"; dns.query; content:"ch4ck0j.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ch4ck0j\.com$/i"; classtype:trojan-activity; sid:4075911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/204;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e204 [tlp:white] Outgoing HTTP Domain ch4ck0j.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ch4ck0j.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ch4ck0j\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4075912; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/204;) alert dns any any -> any any (msg: "MISP e204 [tlp:white] Domain dywb3va.com"; dns.query; content:"dywb3va.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])dywb3va\.com$/i"; classtype:trojan-activity; sid:4075921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/204;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e204 [tlp:white] Outgoing HTTP Domain dywb3va.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dywb3va.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dywb3va\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4075922; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/204;) alert dns any any -> any any (msg: "MISP e204 [tlp:white] Domain j9b8q8.com"; dns.query; content:"j9b8q8.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])j9b8q8\.com$/i"; classtype:trojan-activity; sid:4075931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/204;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e204 [tlp:white] Outgoing HTTP Domain j9b8q8.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"j9b8q8.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])j9b8q8\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4075932; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/204;) alert dns any any -> any any (msg: "MISP e204 [tlp:white] Domain osog5n.com"; dns.query; content:"osog5n.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])osog5n\.com$/i"; classtype:trojan-activity; sid:4075941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/204;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e204 [tlp:white] Outgoing HTTP Domain osog5n.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"osog5n.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])osog5n\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4075942; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/204;) alert dns any any -> any any (msg: "MISP e204 [tlp:white] Domain oyomc2z.com"; dns.query; content:"oyomc2z.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])oyomc2z\.com$/i"; classtype:trojan-activity; sid:4075951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/204;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e204 [tlp:white] Outgoing HTTP Domain oyomc2z.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"oyomc2z.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])oyomc2z\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4075952; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/204;) alert dns any any -> any any (msg: "MISP e204 [tlp:white] Domain pncq6h.com"; dns.query; content:"pncq6h.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pncq6h\.com$/i"; classtype:trojan-activity; sid:4075961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/204;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e204 [tlp:white] Outgoing HTTP Domain pncq6h.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pncq6h.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pncq6h\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4075962; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/204;) alert dns any any -> any any (msg: "MISP e204 [tlp:white] Domain pt48tir.com"; dns.query; content:"pt48tir.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pt48tir\.com$/i"; classtype:trojan-activity; sid:4075971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/204;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e204 [tlp:white] Outgoing HTTP Domain pt48tir.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pt48tir.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pt48tir\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4075972; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/204;) alert dns any any -> any any (msg: "MISP e204 [tlp:white] Domain scgi76.com"; dns.query; content:"scgi76.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])scgi76\.com$/i"; classtype:trojan-activity; sid:4075981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/204;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e204 [tlp:white] Outgoing HTTP Domain scgi76.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"scgi76.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])scgi76\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4075982; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/204;) alert dns any any -> any any (msg: "MISP e204 [tlp:white] Domain sv51gh.com"; dns.query; content:"sv51gh.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sv51gh\.com$/i"; classtype:trojan-activity; sid:4075991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/204;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e204 [tlp:white] Outgoing HTTP Domain sv51gh.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sv51gh.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sv51gh\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4075992; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/204;) alert dns any any -> any any (msg: "MISP e204 [tlp:white] Domain vebk1x.com"; dns.query; content:"vebk1x.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])vebk1x\.com$/i"; classtype:trojan-activity; sid:4076001; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/204;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e204 [tlp:white] Outgoing HTTP Domain vebk1x.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vebk1x.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vebk1x\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4076002; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/204;) alert dns any any -> any any (msg: "MISP e204 [tlp:white] Domain xk625lf.com"; dns.query; content:"xk625lf.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])xk625lf\.com$/i"; classtype:trojan-activity; sid:4076011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/204;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e204 [tlp:white] Outgoing HTTP Domain xk625lf.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"xk625lf.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])xk625lf\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4076012; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/204;) alert dns any any -> any any (msg: "MISP e205 [tlp:white] Hostname chrome-applatnohp.appspot.com"; dns.query; content:"chrome-applatnohp.appspot.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])chrome\-applatnohp\.appspot\.com$/i"; classtype:trojan-activity; sid:4076111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/205;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e205 [tlp:white] Outgoing HTTP Hostname chrome-applatnohp.appspot.com"; flow:to_server,established; http.header; content: "Host|3a| chrome-applatnohp.appspot.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])chrome\-applatnohp\.appspot\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4076112; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/205;) alert dns any any -> any any (msg: "MISP e205 [tlp:white] Hostname ussdns04.heketwe.com"; dns.query; content:"ussdns04.heketwe.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ussdns04\.heketwe\.com$/i"; classtype:trojan-activity; sid:4076121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/205;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e205 [tlp:white] Outgoing HTTP Hostname ussdns04.heketwe.com"; flow:to_server,established; http.header; content: "Host|3a| ussdns04.heketwe.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ussdns04\.heketwe\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4076122; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/205;) alert dns any any -> any any (msg: "MISP e205 [tlp:white] Hostname ussdns01.heketwe.com"; dns.query; content:"ussdns01.heketwe.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ussdns01\.heketwe\.com$/i"; classtype:trojan-activity; sid:4076131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/205;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e205 [tlp:white] Outgoing HTTP Hostname ussdns01.heketwe.com"; flow:to_server,established; http.header; content: "Host|3a| ussdns01.heketwe.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ussdns01\.heketwe\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4076132; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/205;) alert dns any any -> any any (msg: "MISP e205 [tlp:white] Hostname 78276.ussdns02.heketwe.com"; dns.query; content:"78276.ussdns02.heketwe.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])78276\.ussdns02\.heketwe\.com$/i"; classtype:trojan-activity; sid:4076141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/205;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e205 [tlp:white] Outgoing HTTP Hostname 78276.ussdns02.heketwe.com"; flow:to_server,established; http.header; content: "Host|3a| 78276.ussdns02.heketwe.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])78276\.ussdns02\.heketwe\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4076142; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/205;) alert dns any any -> any any (msg: "MISP e205 [tlp:white] Hostname 78276.ussdns01.heketwe.com"; dns.query; content:"78276.ussdns01.heketwe.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])78276\.ussdns01\.heketwe\.com$/i"; classtype:trojan-activity; sid:4076151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/205;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e205 [tlp:white] Outgoing HTTP Hostname 78276.ussdns01.heketwe.com"; flow:to_server,established; http.header; content: "Host|3a| 78276.ussdns01.heketwe.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])78276\.ussdns01\.heketwe\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4076152; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/205;) alert ip $HOME_NET any -> 54.38.192.174 any (msg: "MISP e206 [tlp:white] Outgoing To IP: 54.38.192.174"; classtype:trojan-activity; sid:4076371; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/206;) alert ip $HOME_NET any -> 91.229.76.17 any (msg: "MISP e206 [tlp:white] Outgoing To IP: 91.229.76.17"; classtype:trojan-activity; sid:4076381; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/206;) alert ip $HOME_NET any -> 91.229.76.153 any (msg: "MISP e206 [tlp:white] Outgoing To IP: 91.229.76.153"; classtype:trojan-activity; sid:4076391; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/206;) alert ip $HOME_NET any -> 91.229.77.240 any (msg: "MISP e206 [tlp:white] Outgoing To IP: 91.229.77.240"; classtype:trojan-activity; sid:4076401; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/206;) alert ip $HOME_NET any -> 91.229.77.120 any (msg: "MISP e206 [tlp:white] Outgoing To IP: 91.229.77.120"; classtype:trojan-activity; sid:4076411; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/206;) alert ip $HOME_NET any -> 91.229.79.120 any (msg: "MISP e206 [tlp:white] Outgoing To IP: 91.229.79.120"; classtype:trojan-activity; sid:4076421; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/206;) alert ip $HOME_NET any -> 105.104.10.115 any (msg: "MISP e206 [tlp:white] Outgoing To IP: 105.104.10.115"; classtype:trojan-activity; sid:4076431; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/206;) alert dns any any -> any any (msg: "MISP e207 [tlp:white] Domain c0sfgh.com"; dns.query; content:"c0sfgh.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])c0sfgh\.com$/i"; classtype:trojan-activity; sid:4076611; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/207;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e207 [tlp:white] Outgoing HTTP Domain c0sfgh.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"c0sfgh.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])c0sfgh\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4076612; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/207;) alert ip $HOME_NET any -> 193.187.174.157 any (msg: "MISP e207 [tlp:white] Outgoing To IP: 193.187.174.157"; classtype:trojan-activity; sid:4076621; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/207;) alert dns any any -> any any (msg: "MISP e207 [tlp:white] Domain ehy2iyq.com"; dns.query; content:"ehy2iyq.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ehy2iyq\.com$/i"; classtype:trojan-activity; sid:4076631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/207;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e207 [tlp:white] Outgoing HTTP Domain ehy2iyq.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ehy2iyq.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ehy2iyq\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4076632; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/207;) alert ip $HOME_NET any -> 62.109.24.18 any (msg: "MISP e207 [tlp:white] Outgoing To IP: 62.109.24.18"; classtype:trojan-activity; sid:4076641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/207;) alert dns any any -> any any (msg: "MISP e207 [tlp:white] Domain g8pf47.com"; dns.query; content:"g8pf47.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])g8pf47\.com$/i"; classtype:trojan-activity; sid:4076651; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/207;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e207 [tlp:white] Outgoing HTTP Domain g8pf47.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"g8pf47.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])g8pf47\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4076652; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/207;) alert ip $HOME_NET any -> 185.62.103.65 any (msg: "MISP e207 [tlp:white] Outgoing To IP: 185.62.103.65"; classtype:trojan-activity; sid:4076661; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/207;) alert dns any any -> any any (msg: "MISP e207 [tlp:white] Domain ltdcsz.com"; dns.query; content:"ltdcsz.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ltdcsz\.com$/i"; classtype:trojan-activity; sid:4076671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/207;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e207 [tlp:white] Outgoing HTTP Domain ltdcsz.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ltdcsz.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ltdcsz\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4076672; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/207;) alert ip $HOME_NET any -> 77.87.212.4 any (msg: "MISP e207 [tlp:white] Outgoing To IP: 77.87.212.4"; classtype:trojan-activity; sid:4076681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/207;) alert dns any any -> any any (msg: "MISP e207 [tlp:white] Domain ty5uaq.com"; dns.query; content:"ty5uaq.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ty5uaq\.com$/i"; classtype:trojan-activity; sid:4076691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/207;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e207 [tlp:white] Outgoing HTTP Domain ty5uaq.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ty5uaq.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ty5uaq\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4076692; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/207;) alert ip $HOME_NET any -> 185.117.73.52 any (msg: "MISP e207 [tlp:white] Outgoing To IP: 185.117.73.52"; classtype:trojan-activity; sid:4076701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/207;) alert dns any any -> any any (msg: "MISP e207 [tlp:white] Domain vuv7s5k.com"; dns.query; content:"vuv7s5k.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])vuv7s5k\.com$/i"; classtype:trojan-activity; sid:4076711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/207;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e207 [tlp:white] Outgoing HTTP Domain vuv7s5k.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vuv7s5k.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vuv7s5k\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4076712; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/207;) alert ip $HOME_NET any -> 185.219.41.227 any (msg: "MISP e207 [tlp:white] Outgoing To IP: 185.219.41.227"; classtype:trojan-activity; sid:4076721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/207;) alert dns any any -> any any (msg: "MISP e207 [tlp:white] Domain wirrhb.com"; dns.query; content:"wirrhb.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])wirrhb\.com$/i"; classtype:trojan-activity; sid:4076731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/207;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e207 [tlp:white] Outgoing HTTP Domain wirrhb.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wirrhb.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wirrhb\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4076732; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/207;) alert ip $HOME_NET any -> 45.89.67.57 any (msg: "MISP e207 [tlp:white] Outgoing To IP: 45.89.67.57"; classtype:trojan-activity; sid:4076741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/207;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname boosthybrid.com.au"; dns.query; content:"boosthybrid.com.au"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])boosthybrid\.com\.au$/i"; classtype:trojan-activity; sid:4076921; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname boosthybrid.com.au"; flow:to_server,established; http.header; content: "Host|3a| boosthybrid.com.au"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])boosthybrid\.com\.au[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4076922; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain makeitcount.at"; dns.query; content:"makeitcount.at"; nocase; pcre: "/(^|[^A-Za-z0-9-])makeitcount\.at$/i"; classtype:trojan-activity; sid:4076931; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain makeitcount.at"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"makeitcount.at"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])makeitcount\.at[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4076932; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain danubecloud.com"; dns.query; content:"danubecloud.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])danubecloud\.com$/i"; classtype:trojan-activity; sid:4076941; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain danubecloud.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"danubecloud.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])danubecloud\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4076942; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain takeflat.com"; dns.query; content:"takeflat.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])takeflat\.com$/i"; classtype:trojan-activity; sid:4076951; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain takeflat.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"takeflat.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])takeflat\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4076952; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname new.devon.gov.uk"; dns.query; content:"new.devon.gov.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])new\.devon\.gov\.uk$/i"; classtype:trojan-activity; sid:4076961; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname new.devon.gov.uk"; flow:to_server,established; http.header; content: "Host|3a| new.devon.gov.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])new\.devon\.gov\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4076962; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain huesges-gruppe.de"; dns.query; content:"huesges-gruppe.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])huesges\-gruppe\.de$/i"; classtype:trojan-activity; sid:4076971; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain huesges-gruppe.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"huesges-gruppe.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])huesges\-gruppe\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4076972; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain theclubms.com"; dns.query; content:"theclubms.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])theclubms\.com$/i"; classtype:trojan-activity; sid:4076981; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain theclubms.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"theclubms.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])theclubms\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4076982; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain hoteledenpadova.it"; dns.query; content:"hoteledenpadova.it"; nocase; pcre: "/(^|[^A-Za-z0-9-])hoteledenpadova\.it$/i"; classtype:trojan-activity; sid:4076991; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain hoteledenpadova.it"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hoteledenpadova.it"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hoteledenpadova\.it[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4076992; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname plastidip.com.ar"; dns.query; content:"plastidip.com.ar"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])plastidip\.com\.ar$/i"; classtype:trojan-activity; sid:4077001; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname plastidip.com.ar"; flow:to_server,established; http.header; content: "Host|3a| plastidip.com.ar"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])plastidip\.com\.ar[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077002; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain zimmerei-fl.de"; dns.query; content:"zimmerei-fl.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])zimmerei\-fl\.de$/i"; classtype:trojan-activity; sid:4077011; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain zimmerei-fl.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"zimmerei-fl.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])zimmerei\-fl\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077012; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain whittier5k.com"; dns.query; content:"whittier5k.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])whittier5k\.com$/i"; classtype:trojan-activity; sid:4077021; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain whittier5k.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"whittier5k.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])whittier5k\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077022; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain cityorchardhtx.com"; dns.query; content:"cityorchardhtx.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])cityorchardhtx\.com$/i"; classtype:trojan-activity; sid:4077031; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain cityorchardhtx.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cityorchardhtx.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cityorchardhtx\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077032; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain greenko.pl"; dns.query; content:"greenko.pl"; nocase; pcre: "/(^|[^A-Za-z0-9-])greenko\.pl$/i"; classtype:trojan-activity; sid:4077041; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain greenko.pl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"greenko.pl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])greenko\.pl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077042; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain eadsmurraypugh.com"; dns.query; content:"eadsmurraypugh.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])eadsmurraypugh\.com$/i"; classtype:trojan-activity; sid:4077051; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain eadsmurraypugh.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"eadsmurraypugh.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])eadsmurraypugh\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077052; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain yousay.site"; dns.query; content:"yousay.site"; nocase; pcre: "/(^|[^A-Za-z0-9-])yousay\.site$/i"; classtype:trojan-activity; sid:4077061; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain yousay.site"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"yousay.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])yousay\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077062; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain autopfand24.de"; dns.query; content:"autopfand24.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])autopfand24\.de$/i"; classtype:trojan-activity; sid:4077071; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain autopfand24.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"autopfand24.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])autopfand24\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077072; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain artotelamsterdam.com"; dns.query; content:"artotelamsterdam.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])artotelamsterdam\.com$/i"; classtype:trojan-activity; sid:4077081; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain artotelamsterdam.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"artotelamsterdam.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])artotelamsterdam\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077082; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ftlc.es"; dns.query; content:"ftlc.es"; nocase; pcre: "/(^|[^A-Za-z0-9-])ftlc\.es$/i"; classtype:trojan-activity; sid:4077091; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ftlc.es"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ftlc.es"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ftlc\.es[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077092; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain skanah.com"; dns.query; content:"skanah.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])skanah\.com$/i"; classtype:trojan-activity; sid:4077111; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain skanah.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"skanah.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])skanah\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077112; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain unetica.fr"; dns.query; content:"unetica.fr"; nocase; pcre: "/(^|[^A-Za-z0-9-])unetica\.fr$/i"; classtype:trojan-activity; sid:4077121; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain unetica.fr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"unetica.fr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])unetica\.fr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077122; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain rksbusiness.com"; dns.query; content:"rksbusiness.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])rksbusiness\.com$/i"; classtype:trojan-activity; sid:4077131; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain rksbusiness.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"rksbusiness.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])rksbusiness\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077132; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain simpliza.com"; dns.query; content:"simpliza.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])simpliza\.com$/i"; classtype:trojan-activity; sid:4077141; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain simpliza.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"simpliza.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])simpliza\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077142; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ora-it.de"; dns.query; content:"ora-it.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])ora\-it\.de$/i"; classtype:trojan-activity; sid:4077151; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ora-it.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ora-it.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ora\-it\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077152; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain geekwork.pl"; dns.query; content:"geekwork.pl"; nocase; pcre: "/(^|[^A-Za-z0-9-])geekwork\.pl$/i"; classtype:trojan-activity; sid:4077161; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain geekwork.pl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"geekwork.pl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])geekwork\.pl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077162; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain faroairporttransfers.net"; dns.query; content:"faroairporttransfers.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])faroairporttransfers\.net$/i"; classtype:trojan-activity; sid:4077171; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain faroairporttransfers.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"faroairporttransfers.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])faroairporttransfers\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077172; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain microcirc.net"; dns.query; content:"microcirc.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])microcirc\.net$/i"; classtype:trojan-activity; sid:4077181; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain microcirc.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"microcirc.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])microcirc\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077182; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain uimaan.fi"; dns.query; content:"uimaan.fi"; nocase; pcre: "/(^|[^A-Za-z0-9-])uimaan\.fi$/i"; classtype:trojan-activity; sid:4077191; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain uimaan.fi"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uimaan.fi"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uimaan\.fi[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077192; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain peterstrobos.com"; dns.query; content:"peterstrobos.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])peterstrobos\.com$/i"; classtype:trojan-activity; sid:4077201; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain peterstrobos.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"peterstrobos.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])peterstrobos\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077202; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain wychowanieprzedszkolne.pl"; dns.query; content:"wychowanieprzedszkolne.pl"; nocase; pcre: "/(^|[^A-Za-z0-9-])wychowanieprzedszkolne\.pl$/i"; classtype:trojan-activity; sid:4077211; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain wychowanieprzedszkolne.pl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wychowanieprzedszkolne.pl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wychowanieprzedszkolne\.pl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077212; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain marietteaernoudts.nl"; dns.query; content:"marietteaernoudts.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])marietteaernoudts\.nl$/i"; classtype:trojan-activity; sid:4077221; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain marietteaernoudts.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"marietteaernoudts.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])marietteaernoudts\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077222; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain lichencafe.com"; dns.query; content:"lichencafe.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])lichencafe\.com$/i"; classtype:trojan-activity; sid:4077231; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain lichencafe.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lichencafe.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lichencafe\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077232; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain withahmed.com"; dns.query; content:"withahmed.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])withahmed\.com$/i"; classtype:trojan-activity; sid:4077241; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain withahmed.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"withahmed.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])withahmed\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077242; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain fundaciongregal.org"; dns.query; content:"fundaciongregal.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])fundaciongregal\.org$/i"; classtype:trojan-activity; sid:4077251; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain fundaciongregal.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fundaciongregal.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fundaciongregal\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077252; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname zervicethai.co.th"; dns.query; content:"zervicethai.co.th"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])zervicethai\.co\.th$/i"; classtype:trojan-activity; sid:4077261; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname zervicethai.co.th"; flow:to_server,established; http.header; content: "Host|3a| zervicethai.co.th"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])zervicethai\.co\.th[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077262; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain zso-mannheim.de"; dns.query; content:"zso-mannheim.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])zso\-mannheim\.de$/i"; classtype:trojan-activity; sid:4077271; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain zso-mannheim.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"zso-mannheim.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])zso\-mannheim\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077272; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain compliancesolutionsstrategies.com"; dns.query; content:"compliancesolutionsstrategies.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])compliancesolutionsstrategies\.com$/i"; classtype:trojan-activity; sid:4077281; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain compliancesolutionsstrategies.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"compliancesolutionsstrategies.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])compliancesolutionsstrategies\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077282; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain retroearthstudio.com"; dns.query; content:"retroearthstudio.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])retroearthstudio\.com$/i"; classtype:trojan-activity; sid:4077291; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain retroearthstudio.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"retroearthstudio.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])retroearthstudio\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077292; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain corelifenutrition.com"; dns.query; content:"corelifenutrition.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])corelifenutrition\.com$/i"; classtype:trojan-activity; sid:4077301; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain corelifenutrition.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"corelifenutrition.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])corelifenutrition\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077302; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain maasreusel.nl"; dns.query; content:"maasreusel.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])maasreusel\.nl$/i"; classtype:trojan-activity; sid:4077311; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain maasreusel.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"maasreusel.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])maasreusel\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077312; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain consultaractadenacimiento.com"; dns.query; content:"consultaractadenacimiento.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])consultaractadenacimiento\.com$/i"; classtype:trojan-activity; sid:4077321; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain consultaractadenacimiento.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"consultaractadenacimiento.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])consultaractadenacimiento\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077322; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain deprobatehelp.com"; dns.query; content:"deprobatehelp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])deprobatehelp\.com$/i"; classtype:trojan-activity; sid:4077331; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain deprobatehelp.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"deprobatehelp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])deprobatehelp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077332; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain effortlesspromo.com"; dns.query; content:"effortlesspromo.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])effortlesspromo\.com$/i"; classtype:trojan-activity; sid:4077341; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain effortlesspromo.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"effortlesspromo.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])effortlesspromo\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077342; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain enovos.de"; dns.query; content:"enovos.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])enovos\.de$/i"; classtype:trojan-activity; sid:4077351; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain enovos.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"enovos.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])enovos\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077352; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname globedivers.wordpress.com"; dns.query; content:"globedivers.wordpress.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])globedivers\.wordpress\.com$/i"; classtype:trojan-activity; sid:4077361; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname globedivers.wordpress.com"; flow:to_server,established; http.header; content: "Host|3a| globedivers.wordpress.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])globedivers\.wordpress\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077362; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain bastutunnan.se"; dns.query; content:"bastutunnan.se"; nocase; pcre: "/(^|[^A-Za-z0-9-])bastutunnan\.se$/i"; classtype:trojan-activity; sid:4077371; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain bastutunnan.se"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bastutunnan.se"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bastutunnan\.se[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077372; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain atmos-show.com"; dns.query; content:"atmos-show.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])atmos\-show\.com$/i"; classtype:trojan-activity; sid:4077381; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain atmos-show.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"atmos-show.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])atmos\-show\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077382; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname surespark.org.uk"; dns.query; content:"surespark.org.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])surespark\.org\.uk$/i"; classtype:trojan-activity; sid:4077391; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname surespark.org.uk"; flow:to_server,established; http.header; content: "Host|3a| surespark.org.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])surespark\.org\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077392; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain radaradvies.nl"; dns.query; content:"radaradvies.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])radaradvies\.nl$/i"; classtype:trojan-activity; sid:4077401; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain radaradvies.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"radaradvies.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])radaradvies\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077402; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain em-gmbh.ch"; dns.query; content:"em-gmbh.ch"; nocase; pcre: "/(^|[^A-Za-z0-9-])em\-gmbh\.ch$/i"; classtype:trojan-activity; sid:4077411; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain em-gmbh.ch"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"em-gmbh.ch"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])em\-gmbh\.ch[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077412; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain idemblogs.com"; dns.query; content:"idemblogs.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])idemblogs\.com$/i"; classtype:trojan-activity; sid:4077421; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain idemblogs.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"idemblogs.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])idemblogs\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077422; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain iyengaryogacharlotte.com"; dns.query; content:"iyengaryogacharlotte.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])iyengaryogacharlotte\.com$/i"; classtype:trojan-activity; sid:4077431; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain iyengaryogacharlotte.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"iyengaryogacharlotte.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])iyengaryogacharlotte\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077432; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname wien-mitte.co.at"; dns.query; content:"wien-mitte.co.at"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])wien\-mitte\.co\.at$/i"; classtype:trojan-activity; sid:4077441; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname wien-mitte.co.at"; flow:to_server,established; http.header; content: "Host|3a| wien-mitte.co.at"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])wien\-mitte\.co\.at[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077442; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain sweering.fr"; dns.query; content:"sweering.fr"; nocase; pcre: "/(^|[^A-Za-z0-9-])sweering\.fr$/i"; classtype:trojan-activity; sid:4077451; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain sweering.fr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sweering.fr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sweering\.fr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077452; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain huehnerauge-entfernen.de"; dns.query; content:"huehnerauge-entfernen.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])huehnerauge\-entfernen\.de$/i"; classtype:trojan-activity; sid:4077461; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain huehnerauge-entfernen.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"huehnerauge-entfernen.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])huehnerauge\-entfernen\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077462; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ihr-news.jp"; dns.query; content:"ihr-news.jp"; nocase; pcre: "/(^|[^A-Za-z0-9-])ihr\-news\.jp$/i"; classtype:trojan-activity; sid:4077471; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ihr-news.jp"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ihr-news.jp"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ihr\-news\.jp[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077472; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mikeramirezcpa.com"; dns.query; content:"mikeramirezcpa.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mikeramirezcpa\.com$/i"; classtype:trojan-activity; sid:4077481; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mikeramirezcpa.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mikeramirezcpa.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mikeramirezcpa\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077482; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain parkcf.nl"; dns.query; content:"parkcf.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])parkcf\.nl$/i"; classtype:trojan-activity; sid:4077491; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain parkcf.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"parkcf.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])parkcf\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077492; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain sla-paris.com"; dns.query; content:"sla-paris.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sla\-paris\.com$/i"; classtype:trojan-activity; sid:4077501; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain sla-paris.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sla-paris.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sla\-paris\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077502; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain parkstreetauto.net"; dns.query; content:"parkstreetauto.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])parkstreetauto\.net$/i"; classtype:trojan-activity; sid:4077511; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain parkstreetauto.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"parkstreetauto.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])parkstreetauto\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077512; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname sexandfessenjoon.wordpress.com"; dns.query; content:"sexandfessenjoon.wordpress.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sexandfessenjoon\.wordpress\.com$/i"; classtype:trojan-activity; sid:4077521; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname sexandfessenjoon.wordpress.com"; flow:to_server,established; http.header; content: "Host|3a| sexandfessenjoon.wordpress.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sexandfessenjoon\.wordpress\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077522; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain maratonaclubedeportugal.com"; dns.query; content:"maratonaclubedeportugal.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])maratonaclubedeportugal\.com$/i"; classtype:trojan-activity; sid:4077531; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain maratonaclubedeportugal.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"maratonaclubedeportugal.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])maratonaclubedeportugal\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077532; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mylovelybluesky.com"; dns.query; content:"mylovelybluesky.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mylovelybluesky\.com$/i"; classtype:trojan-activity; sid:4077541; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mylovelybluesky.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mylovelybluesky.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mylovelybluesky\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077542; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain connectedace.com"; dns.query; content:"connectedace.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])connectedace\.com$/i"; classtype:trojan-activity; sid:4077551; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain connectedace.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"connectedace.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])connectedace\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077552; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain asiluxury.com"; dns.query; content:"asiluxury.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])asiluxury\.com$/i"; classtype:trojan-activity; sid:4077561; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain asiluxury.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"asiluxury.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])asiluxury\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077562; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname wari.com.pe"; dns.query; content:"wari.com.pe"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])wari\.com\.pe$/i"; classtype:trojan-activity; sid:4077571; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname wari.com.pe"; flow:to_server,established; http.header; content: "Host|3a| wari.com.pe"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])wari\.com\.pe[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077572; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain dutchbrewingcoffee.com"; dns.query; content:"dutchbrewingcoffee.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])dutchbrewingcoffee\.com$/i"; classtype:trojan-activity; sid:4077581; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain dutchbrewingcoffee.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dutchbrewingcoffee.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dutchbrewingcoffee\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077582; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain amylendscrestview.com"; dns.query; content:"amylendscrestview.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])amylendscrestview\.com$/i"; classtype:trojan-activity; sid:4077591; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain amylendscrestview.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"amylendscrestview.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])amylendscrestview\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077592; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain minipara.com"; dns.query; content:"minipara.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])minipara\.com$/i"; classtype:trojan-activity; sid:4077601; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain minipara.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"minipara.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])minipara\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077602; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain rocketccw.com"; dns.query; content:"rocketccw.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])rocketccw\.com$/i"; classtype:trojan-activity; sid:4077611; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain rocketccw.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"rocketccw.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])rocketccw\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077612; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain wacochamber.com"; dns.query; content:"wacochamber.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])wacochamber\.com$/i"; classtype:trojan-activity; sid:4077621; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain wacochamber.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wacochamber.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wacochamber\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077622; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain anybookreader.de"; dns.query; content:"anybookreader.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])anybookreader\.de$/i"; classtype:trojan-activity; sid:4077631; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain anybookreader.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"anybookreader.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])anybookreader\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077632; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain rimborsobancario.net"; dns.query; content:"rimborsobancario.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])rimborsobancario\.net$/i"; classtype:trojan-activity; sid:4077641; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain rimborsobancario.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"rimborsobancario.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])rimborsobancario\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077642; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain heurigen-bauer.at"; dns.query; content:"heurigen-bauer.at"; nocase; pcre: "/(^|[^A-Za-z0-9-])heurigen\-bauer\.at$/i"; classtype:trojan-activity; sid:4077651; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain heurigen-bauer.at"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"heurigen-bauer.at"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])heurigen\-bauer\.at[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077652; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain purposeadvisorsolutions.com"; dns.query; content:"purposeadvisorsolutions.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])purposeadvisorsolutions\.com$/i"; classtype:trojan-activity; sid:4077661; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain purposeadvisorsolutions.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"purposeadvisorsolutions.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])purposeadvisorsolutions\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077662; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain y-archive.com"; dns.query; content:"y-archive.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])y\-archive\.com$/i"; classtype:trojan-activity; sid:4077671; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain y-archive.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"y-archive.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])y\-archive\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077672; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain paulisdogshop.de"; dns.query; content:"paulisdogshop.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])paulisdogshop\.de$/i"; classtype:trojan-activity; sid:4077681; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain paulisdogshop.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"paulisdogshop.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])paulisdogshop\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077682; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain navyfederalautooverseas.com"; dns.query; content:"navyfederalautooverseas.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])navyfederalautooverseas\.com$/i"; classtype:trojan-activity; sid:4077691; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain navyfederalautooverseas.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"navyfederalautooverseas.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])navyfederalautooverseas\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077692; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain aco-media.nl"; dns.query; content:"aco-media.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])aco\-media\.nl$/i"; classtype:trojan-activity; sid:4077701; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain aco-media.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aco-media.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aco\-media\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077702; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain spsshomeworkhelp.com"; dns.query; content:"spsshomeworkhelp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])spsshomeworkhelp\.com$/i"; classtype:trojan-activity; sid:4077711; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain spsshomeworkhelp.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"spsshomeworkhelp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])spsshomeworkhelp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077712; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain tomaso.gr"; dns.query; content:"tomaso.gr"; nocase; pcre: "/(^|[^A-Za-z0-9-])tomaso\.gr$/i"; classtype:trojan-activity; sid:4077721; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain tomaso.gr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tomaso.gr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tomaso\.gr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077722; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain upmrkt.co"; dns.query; content:"upmrkt.co"; nocase; pcre: "/(^|[^A-Za-z0-9-])upmrkt\.co$/i"; classtype:trojan-activity; sid:4077731; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain upmrkt.co"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"upmrkt.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])upmrkt\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077732; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain spacecitysisters.org"; dns.query; content:"spacecitysisters.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])spacecitysisters\.org$/i"; classtype:trojan-activity; sid:4077741; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain spacecitysisters.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"spacecitysisters.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])spacecitysisters\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077742; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain drinkseed.com"; dns.query; content:"drinkseed.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])drinkseed\.com$/i"; classtype:trojan-activity; sid:4077751; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain drinkseed.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"drinkseed.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])drinkseed\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077752; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain forskolorna.org"; dns.query; content:"forskolorna.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])forskolorna\.org$/i"; classtype:trojan-activity; sid:4077761; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain forskolorna.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"forskolorna.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])forskolorna\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077762; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain zewatchers.com"; dns.query; content:"zewatchers.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])zewatchers\.com$/i"; classtype:trojan-activity; sid:4077771; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain zewatchers.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"zewatchers.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])zewatchers\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077772; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain fannmedias.com"; dns.query; content:"fannmedias.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])fannmedias\.com$/i"; classtype:trojan-activity; sid:4077781; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain fannmedias.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fannmedias.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fannmedias\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077782; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain spd-ehningen.de"; dns.query; content:"spd-ehningen.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])spd\-ehningen\.de$/i"; classtype:trojan-activity; sid:4077791; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain spd-ehningen.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"spd-ehningen.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])spd\-ehningen\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077792; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ohidesign.com"; dns.query; content:"ohidesign.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ohidesign\.com$/i"; classtype:trojan-activity; sid:4077801; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ohidesign.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ohidesign.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ohidesign\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077802; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname creative-waves.co.uk"; dns.query; content:"creative-waves.co.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])creative\-waves\.co\.uk$/i"; classtype:trojan-activity; sid:4077811; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname creative-waves.co.uk"; flow:to_server,established; http.header; content: "Host|3a| creative-waves.co.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])creative\-waves\.co\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077812; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain desert-trails.com"; dns.query; content:"desert-trails.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])desert\-trails\.com$/i"; classtype:trojan-activity; sid:4077821; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain desert-trails.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"desert-trails.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])desert\-trails\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077822; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain troegs.com"; dns.query; content:"troegs.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])troegs\.com$/i"; classtype:trojan-activity; sid:4077831; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain troegs.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"troegs.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])troegs\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077832; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain abogadoengijon.es"; dns.query; content:"abogadoengijon.es"; nocase; pcre: "/(^|[^A-Za-z0-9-])abogadoengijon\.es$/i"; classtype:trojan-activity; sid:4077841; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain abogadoengijon.es"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"abogadoengijon.es"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])abogadoengijon\.es[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077842; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain the-virtualizer.com"; dns.query; content:"the-virtualizer.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])the\-virtualizer\.com$/i"; classtype:trojan-activity; sid:4077851; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain the-virtualizer.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"the-virtualizer.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])the\-virtualizer\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077852; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain urmasiimariiuniri.ro"; dns.query; content:"urmasiimariiuniri.ro"; nocase; pcre: "/(^|[^A-Za-z0-9-])urmasiimariiuniri\.ro$/i"; classtype:trojan-activity; sid:4077861; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain urmasiimariiuniri.ro"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"urmasiimariiuniri.ro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])urmasiimariiuniri\.ro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077862; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain castillobalduz.es"; dns.query; content:"castillobalduz.es"; nocase; pcre: "/(^|[^A-Za-z0-9-])castillobalduz\.es$/i"; classtype:trojan-activity; sid:4077871; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain castillobalduz.es"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"castillobalduz.es"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])castillobalduz\.es[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077872; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain rafaut.com"; dns.query; content:"rafaut.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])rafaut\.com$/i"; classtype:trojan-activity; sid:4077881; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain rafaut.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"rafaut.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])rafaut\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077882; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain rollingrockcolumbia.com"; dns.query; content:"rollingrockcolumbia.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])rollingrockcolumbia\.com$/i"; classtype:trojan-activity; sid:4077891; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain rollingrockcolumbia.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"rollingrockcolumbia.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])rollingrockcolumbia\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077892; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain dekkinngay.com"; dns.query; content:"dekkinngay.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])dekkinngay\.com$/i"; classtype:trojan-activity; sid:4077901; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain dekkinngay.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dekkinngay.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dekkinngay\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077902; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain restaurantesszimmer.de"; dns.query; content:"restaurantesszimmer.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])restaurantesszimmer\.de$/i"; classtype:trojan-activity; sid:4077911; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain restaurantesszimmer.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"restaurantesszimmer.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])restaurantesszimmer\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077912; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mylolis.com"; dns.query; content:"mylolis.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mylolis\.com$/i"; classtype:trojan-activity; sid:4077921; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mylolis.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mylolis.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mylolis\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077922; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain caribdoctor.org"; dns.query; content:"caribdoctor.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])caribdoctor\.org$/i"; classtype:trojan-activity; sid:4077931; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain caribdoctor.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"caribdoctor.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])caribdoctor\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077932; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain cirugiauretra.es"; dns.query; content:"cirugiauretra.es"; nocase; pcre: "/(^|[^A-Za-z0-9-])cirugiauretra\.es$/i"; classtype:trojan-activity; sid:4077941; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain cirugiauretra.es"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cirugiauretra.es"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cirugiauretra\.es[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077942; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain eglectonk.online"; dns.query; content:"eglectonk.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])eglectonk\.online$/i"; classtype:trojan-activity; sid:4077951; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain eglectonk.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"eglectonk.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])eglectonk\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077952; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain colorofhorses.com"; dns.query; content:"colorofhorses.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])colorofhorses\.com$/i"; classtype:trojan-activity; sid:4077961; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain colorofhorses.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"colorofhorses.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])colorofhorses\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077962; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain smokeysstoves.com"; dns.query; content:"smokeysstoves.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])smokeysstoves\.com$/i"; classtype:trojan-activity; sid:4077971; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain smokeysstoves.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"smokeysstoves.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])smokeysstoves\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077972; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain thewellnessmimi.com"; dns.query; content:"thewellnessmimi.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])thewellnessmimi\.com$/i"; classtype:trojan-activity; sid:4077981; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain thewellnessmimi.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"thewellnessmimi.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])thewellnessmimi\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077982; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain hellohope.com"; dns.query; content:"hellohope.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])hellohope\.com$/i"; classtype:trojan-activity; sid:4077991; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain hellohope.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hellohope.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hellohope\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4077992; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain 1team.es"; dns.query; content:"1team.es"; nocase; pcre: "/(^|[^A-Za-z0-9-])1team\.es$/i"; classtype:trojan-activity; sid:4078001; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain 1team.es"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"1team.es"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])1team\.es[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078002; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain alten-mebel63.ru"; dns.query; content:"alten-mebel63.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])alten\-mebel63\.ru$/i"; classtype:trojan-activity; sid:4078011; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain alten-mebel63.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"alten-mebel63.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])alten\-mebel63\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078012; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain dw-css.de"; dns.query; content:"dw-css.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])dw\-css\.de$/i"; classtype:trojan-activity; sid:4078021; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain dw-css.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dw-css.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dw\-css\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078022; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname teczowadolina.bytom.pl"; dns.query; content:"teczowadolina.bytom.pl"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])teczowadolina\.bytom\.pl$/i"; classtype:trojan-activity; sid:4078031; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname teczowadolina.bytom.pl"; flow:to_server,established; http.header; content: "Host|3a| teczowadolina.bytom.pl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])teczowadolina\.bytom\.pl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078032; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain tenacitytenfold.com"; dns.query; content:"tenacitytenfold.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])tenacitytenfold\.com$/i"; classtype:trojan-activity; sid:4078041; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain tenacitytenfold.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tenacitytenfold.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tenacitytenfold\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078042; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain drugdevice.org"; dns.query; content:"drugdevice.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])drugdevice\.org$/i"; classtype:trojan-activity; sid:4078051; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain drugdevice.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"drugdevice.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])drugdevice\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078052; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname toponlinecasinosuk.co.uk"; dns.query; content:"toponlinecasinosuk.co.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])toponlinecasinosuk\.co\.uk$/i"; classtype:trojan-activity; sid:4078061; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname toponlinecasinosuk.co.uk"; flow:to_server,established; http.header; content: "Host|3a| toponlinecasinosuk.co.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])toponlinecasinosuk\.co\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078062; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain iwelt.de"; dns.query; content:"iwelt.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])iwelt\.de$/i"; classtype:trojan-activity; sid:4078071; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain iwelt.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"iwelt.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])iwelt\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078072; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain thailandholic.com"; dns.query; content:"thailandholic.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])thailandholic\.com$/i"; classtype:trojan-activity; sid:4078081; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain thailandholic.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"thailandholic.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])thailandholic\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078082; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain hkr-reise.de"; dns.query; content:"hkr-reise.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])hkr\-reise\.de$/i"; classtype:trojan-activity; sid:4078091; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain hkr-reise.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hkr-reise.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hkr\-reise\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078092; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain schlafsack-test.net"; dns.query; content:"schlafsack-test.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])schlafsack\-test\.net$/i"; classtype:trojan-activity; sid:4078101; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain schlafsack-test.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"schlafsack-test.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])schlafsack\-test\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078102; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mirjamholleman.nl"; dns.query; content:"mirjamholleman.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])mirjamholleman\.nl$/i"; classtype:trojan-activity; sid:4078111; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mirjamholleman.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mirjamholleman.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mirjamholleman\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078112; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain xn--rumung-bua.online"; dns.query; content:"xn--rumung-bua.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])xn\-\-rumung\-bua\.online$/i"; classtype:trojan-activity; sid:4078121; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain xn--rumung-bua.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"xn--rumung-bua.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])xn\-\-rumung\-bua\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078122; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain vannesteconstruct.be"; dns.query; content:"vannesteconstruct.be"; nocase; pcre: "/(^|[^A-Za-z0-9-])vannesteconstruct\.be$/i"; classtype:trojan-activity; sid:4078131; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain vannesteconstruct.be"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vannesteconstruct.be"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vannesteconstruct\.be[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078132; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain chrissieperry.com"; dns.query; content:"chrissieperry.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])chrissieperry\.com$/i"; classtype:trojan-activity; sid:4078141; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain chrissieperry.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"chrissieperry.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])chrissieperry\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078142; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain brevitempore.net"; dns.query; content:"brevitempore.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])brevitempore\.net$/i"; classtype:trojan-activity; sid:4078151; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain brevitempore.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"brevitempore.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])brevitempore\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078152; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain nuzech.com"; dns.query; content:"nuzech.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])nuzech\.com$/i"; classtype:trojan-activity; sid:4078161; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain nuzech.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nuzech.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nuzech\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078162; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain sloverse.com"; dns.query; content:"sloverse.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sloverse\.com$/i"; classtype:trojan-activity; sid:4078171; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain sloverse.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sloverse.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sloverse\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078172; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain xn--vrftet-pua.biz"; dns.query; content:"xn--vrftet-pua.biz"; nocase; pcre: "/(^|[^A-Za-z0-9-])xn\-\-vrftet\-pua\.biz$/i"; classtype:trojan-activity; sid:4078181; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain xn--vrftet-pua.biz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"xn--vrftet-pua.biz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])xn\-\-vrftet\-pua\.biz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078182; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mooshine.com"; dns.query; content:"mooshine.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mooshine\.com$/i"; classtype:trojan-activity; sid:4078201; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mooshine.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mooshine.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mooshine\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078202; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain alfa-stroy72.com"; dns.query; content:"alfa-stroy72.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])alfa\-stroy72\.com$/i"; classtype:trojan-activity; sid:4078211; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain alfa-stroy72.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"alfa-stroy72.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])alfa\-stroy72\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078212; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain offroadbeasts.com"; dns.query; content:"offroadbeasts.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])offroadbeasts\.com$/i"; classtype:trojan-activity; sid:4078221; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain offroadbeasts.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"offroadbeasts.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])offroadbeasts\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078222; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain americafirstcommittee.org"; dns.query; content:"americafirstcommittee.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])americafirstcommittee\.org$/i"; classtype:trojan-activity; sid:4078231; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain americafirstcommittee.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"americafirstcommittee.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])americafirstcommittee\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078232; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain lapinvihreat.fi"; dns.query; content:"lapinvihreat.fi"; nocase; pcre: "/(^|[^A-Za-z0-9-])lapinvihreat\.fi$/i"; classtype:trojan-activity; sid:4078241; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain lapinvihreat.fi"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lapinvihreat.fi"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lapinvihreat\.fi[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078242; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain chatizel-paysage.fr"; dns.query; content:"chatizel-paysage.fr"; nocase; pcre: "/(^|[^A-Za-z0-9-])chatizel\-paysage\.fr$/i"; classtype:trojan-activity; sid:4078251; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain chatizel-paysage.fr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"chatizel-paysage.fr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])chatizel\-paysage\.fr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078252; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain deepsouthclothingcompany.com"; dns.query; content:"deepsouthclothingcompany.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])deepsouthclothingcompany\.com$/i"; classtype:trojan-activity; sid:4078261; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain deepsouthclothingcompany.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"deepsouthclothingcompany.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])deepsouthclothingcompany\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078262; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain allfortheloveofyou.com"; dns.query; content:"allfortheloveofyou.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])allfortheloveofyou\.com$/i"; classtype:trojan-activity; sid:4078271; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain allfortheloveofyou.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"allfortheloveofyou.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])allfortheloveofyou\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078272; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain rushhourappliances.com"; dns.query; content:"rushhourappliances.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])rushhourappliances\.com$/i"; classtype:trojan-activity; sid:4078281; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain rushhourappliances.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"rushhourappliances.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])rushhourappliances\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078282; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain international-sound-awards.com"; dns.query; content:"international-sound-awards.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])international\-sound\-awards\.com$/i"; classtype:trojan-activity; sid:4078291; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain international-sound-awards.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"international-sound-awards.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])international\-sound\-awards\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078292; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain aodaichandung.com"; dns.query; content:"aodaichandung.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])aodaichandung\.com$/i"; classtype:trojan-activity; sid:4078301; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain aodaichandung.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aodaichandung.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aodaichandung\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078302; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain nandistribution.nl"; dns.query; content:"nandistribution.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])nandistribution\.nl$/i"; classtype:trojan-activity; sid:4078311; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain nandistribution.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nandistribution.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nandistribution\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078312; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain lebellevue.fr"; dns.query; content:"lebellevue.fr"; nocase; pcre: "/(^|[^A-Za-z0-9-])lebellevue\.fr$/i"; classtype:trojan-activity; sid:4078321; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain lebellevue.fr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lebellevue.fr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lebellevue\.fr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078322; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain camsadviser.com"; dns.query; content:"camsadviser.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])camsadviser\.com$/i"; classtype:trojan-activity; sid:4078331; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain camsadviser.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"camsadviser.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])camsadviser\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078332; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain highimpactoutdoors.net"; dns.query; content:"highimpactoutdoors.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])highimpactoutdoors\.net$/i"; classtype:trojan-activity; sid:4078341; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain highimpactoutdoors.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"highimpactoutdoors.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])highimpactoutdoors\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078342; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain brandl-blumen.de"; dns.query; content:"brandl-blumen.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])brandl\-blumen\.de$/i"; classtype:trojan-activity; sid:4078351; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain brandl-blumen.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"brandl-blumen.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])brandl\-blumen\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078352; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname parking.netgateway.eu"; dns.query; content:"parking.netgateway.eu"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])parking\.netgateway\.eu$/i"; classtype:trojan-activity; sid:4078361; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname parking.netgateway.eu"; flow:to_server,established; http.header; content: "Host|3a| parking.netgateway.eu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])parking\.netgateway\.eu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078362; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain modamilyon.com"; dns.query; content:"modamilyon.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])modamilyon\.com$/i"; classtype:trojan-activity; sid:4078371; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain modamilyon.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"modamilyon.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])modamilyon\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078372; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain cafemattmeera.com"; dns.query; content:"cafemattmeera.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])cafemattmeera\.com$/i"; classtype:trojan-activity; sid:4078381; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain cafemattmeera.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cafemattmeera.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cafemattmeera\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078382; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain csgospeltips.se"; dns.query; content:"csgospeltips.se"; nocase; pcre: "/(^|[^A-Za-z0-9-])csgospeltips\.se$/i"; classtype:trojan-activity; sid:4078391; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain csgospeltips.se"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"csgospeltips.se"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])csgospeltips\.se[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078392; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain bauertree.com"; dns.query; content:"bauertree.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bauertree\.com$/i"; classtype:trojan-activity; sid:4078401; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain bauertree.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bauertree.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bauertree\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078402; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain gratispresent.se"; dns.query; content:"gratispresent.se"; nocase; pcre: "/(^|[^A-Za-z0-9-])gratispresent\.se$/i"; classtype:trojan-activity; sid:4078411; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain gratispresent.se"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gratispresent.se"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gratispresent\.se[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078412; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain solerluethi-allart.ch"; dns.query; content:"solerluethi-allart.ch"; nocase; pcre: "/(^|[^A-Za-z0-9-])solerluethi\-allart\.ch$/i"; classtype:trojan-activity; sid:4078421; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain solerluethi-allart.ch"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"solerluethi-allart.ch"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])solerluethi\-allart\.ch[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078422; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain tophumanservicescourses.com"; dns.query; content:"tophumanservicescourses.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])tophumanservicescourses\.com$/i"; classtype:trojan-activity; sid:4078431; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain tophumanservicescourses.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tophumanservicescourses.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tophumanservicescourses\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078432; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain siliconbeach-realestate.com"; dns.query; content:"siliconbeach-realestate.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])siliconbeach\-realestate\.com$/i"; classtype:trojan-activity; sid:4078441; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain siliconbeach-realestate.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"siliconbeach-realestate.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])siliconbeach\-realestate\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078442; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain marketingsulweb.com"; dns.query; content:"marketingsulweb.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])marketingsulweb\.com$/i"; classtype:trojan-activity; sid:4078451; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain marketingsulweb.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"marketingsulweb.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])marketingsulweb\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078452; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain hotelzentral.at"; dns.query; content:"hotelzentral.at"; nocase; pcre: "/(^|[^A-Za-z0-9-])hotelzentral\.at$/i"; classtype:trojan-activity; sid:4078461; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain hotelzentral.at"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hotelzentral.at"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hotelzentral\.at[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078462; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain hmsdanmark.dk"; dns.query; content:"hmsdanmark.dk"; nocase; pcre: "/(^|[^A-Za-z0-9-])hmsdanmark\.dk$/i"; classtype:trojan-activity; sid:4078471; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain hmsdanmark.dk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hmsdanmark.dk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hmsdanmark\.dk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078472; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain walter-lemm.de"; dns.query; content:"walter-lemm.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])walter\-lemm\.de$/i"; classtype:trojan-activity; sid:4078481; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain walter-lemm.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"walter-lemm.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])walter\-lemm\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078482; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain softsproductkey.com"; dns.query; content:"softsproductkey.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])softsproductkey\.com$/i"; classtype:trojan-activity; sid:4078491; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain softsproductkey.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"softsproductkey.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])softsproductkey\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078492; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname andersongilmour.co.uk"; dns.query; content:"andersongilmour.co.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])andersongilmour\.co\.uk$/i"; classtype:trojan-activity; sid:4078501; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname andersongilmour.co.uk"; flow:to_server,established; http.header; content: "Host|3a| andersongilmour.co.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])andersongilmour\.co\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078502; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname rota-installations.co.uk"; dns.query; content:"rota-installations.co.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])rota\-installations\.co\.uk$/i"; classtype:trojan-activity; sid:4078511; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname rota-installations.co.uk"; flow:to_server,established; http.header; content: "Host|3a| rota-installations.co.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])rota\-installations\.co\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078512; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain talentwunder.com"; dns.query; content:"talentwunder.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])talentwunder\.com$/i"; classtype:trojan-activity; sid:4078521; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain talentwunder.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"talentwunder.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])talentwunder\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078522; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain boulderwelt-muenchen-west.de"; dns.query; content:"boulderwelt-muenchen-west.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])boulderwelt\-muenchen\-west\.de$/i"; classtype:trojan-activity; sid:4078531; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain boulderwelt-muenchen-west.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"boulderwelt-muenchen-west.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])boulderwelt\-muenchen\-west\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078532; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain corona-handles.com"; dns.query; content:"corona-handles.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])corona\-handles\.com$/i"; classtype:trojan-activity; sid:4078541; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain corona-handles.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"corona-handles.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])corona\-handles\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078542; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain euro-trend.pl"; dns.query; content:"euro-trend.pl"; nocase; pcre: "/(^|[^A-Za-z0-9-])euro\-trend\.pl$/i"; classtype:trojan-activity; sid:4078551; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain euro-trend.pl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"euro-trend.pl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])euro\-trend\.pl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078552; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain syndikat-asphaltfieber.de"; dns.query; content:"syndikat-asphaltfieber.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])syndikat\-asphaltfieber\.de$/i"; classtype:trojan-activity; sid:4078561; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain syndikat-asphaltfieber.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"syndikat-asphaltfieber.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])syndikat\-asphaltfieber\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078562; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain kamahouse.net"; dns.query; content:"kamahouse.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])kamahouse\.net$/i"; classtype:trojan-activity; sid:4078571; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain kamahouse.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kamahouse.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kamahouse\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078572; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain cuppacap.com"; dns.query; content:"cuppacap.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])cuppacap\.com$/i"; classtype:trojan-activity; sid:4078581; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain cuppacap.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cuppacap.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cuppacap\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078582; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain cursoporcelanatoliquido.online"; dns.query; content:"cursoporcelanatoliquido.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])cursoporcelanatoliquido\.online$/i"; classtype:trojan-activity; sid:4078591; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain cursoporcelanatoliquido.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cursoporcelanatoliquido.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cursoporcelanatoliquido\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078592; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain videomarketing.pro"; dns.query; content:"videomarketing.pro"; nocase; pcre: "/(^|[^A-Za-z0-9-])videomarketing\.pro$/i"; classtype:trojan-activity; sid:4078601; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain videomarketing.pro"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"videomarketing.pro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])videomarketing\.pro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078602; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mmgdouai.fr"; dns.query; content:"mmgdouai.fr"; nocase; pcre: "/(^|[^A-Za-z0-9-])mmgdouai\.fr$/i"; classtype:trojan-activity; sid:4078611; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mmgdouai.fr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mmgdouai.fr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mmgdouai\.fr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078612; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain theduke.de"; dns.query; content:"theduke.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])theduke\.de$/i"; classtype:trojan-activity; sid:4078621; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain theduke.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"theduke.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])theduke\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078622; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain gastsicht.de"; dns.query; content:"gastsicht.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])gastsicht\.de$/i"; classtype:trojan-activity; sid:4078631; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain gastsicht.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gastsicht.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gastsicht\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078632; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain pridoxmaterieel.nl"; dns.query; content:"pridoxmaterieel.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])pridoxmaterieel\.nl$/i"; classtype:trojan-activity; sid:4078641; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain pridoxmaterieel.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pridoxmaterieel.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pridoxmaterieel\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078642; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain 101gowrie.com"; dns.query; content:"101gowrie.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])101gowrie\.com$/i"; classtype:trojan-activity; sid:4078651; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain 101gowrie.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"101gowrie.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])101gowrie\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078652; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain echtveilig.nl"; dns.query; content:"echtveilig.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])echtveilig\.nl$/i"; classtype:trojan-activity; sid:4078661; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain echtveilig.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"echtveilig.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])echtveilig\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078662; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain promesapuertorico.com"; dns.query; content:"promesapuertorico.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])promesapuertorico\.com$/i"; classtype:trojan-activity; sid:4078671; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain promesapuertorico.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"promesapuertorico.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])promesapuertorico\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078672; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain caribbeansunpoker.com"; dns.query; content:"caribbeansunpoker.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])caribbeansunpoker\.com$/i"; classtype:trojan-activity; sid:4078681; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain caribbeansunpoker.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"caribbeansunpoker.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])caribbeansunpoker\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078682; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain lorenacarnero.com"; dns.query; content:"lorenacarnero.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])lorenacarnero\.com$/i"; classtype:trojan-activity; sid:4078691; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain lorenacarnero.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lorenacarnero.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lorenacarnero\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078692; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain romeguidedvisit.com"; dns.query; content:"romeguidedvisit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])romeguidedvisit\.com$/i"; classtype:trojan-activity; sid:4078701; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain romeguidedvisit.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"romeguidedvisit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])romeguidedvisit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078702; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain acomprarseguidores.com"; dns.query; content:"acomprarseguidores.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])acomprarseguidores\.com$/i"; classtype:trojan-activity; sid:4078711; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain acomprarseguidores.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"acomprarseguidores.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])acomprarseguidores\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078712; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain dareckleyministries.com"; dns.query; content:"dareckleyministries.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])dareckleyministries\.com$/i"; classtype:trojan-activity; sid:4078721; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain dareckleyministries.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dareckleyministries.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dareckleyministries\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078722; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain darrenkeslerministries.com"; dns.query; content:"darrenkeslerministries.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])darrenkeslerministries\.com$/i"; classtype:trojan-activity; sid:4078731; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain darrenkeslerministries.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"darrenkeslerministries.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])darrenkeslerministries\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078732; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain myzk.site"; dns.query; content:"myzk.site"; nocase; pcre: "/(^|[^A-Za-z0-9-])myzk\.site$/i"; classtype:trojan-activity; sid:4078741; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain myzk.site"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"myzk.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])myzk\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078742; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain sotsioloogia.ee"; dns.query; content:"sotsioloogia.ee"; nocase; pcre: "/(^|[^A-Za-z0-9-])sotsioloogia\.ee$/i"; classtype:trojan-activity; sid:4078751; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain sotsioloogia.ee"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sotsioloogia.ee"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sotsioloogia\.ee[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078752; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain erstatningsadvokaterne.dk"; dns.query; content:"erstatningsadvokaterne.dk"; nocase; pcre: "/(^|[^A-Za-z0-9-])erstatningsadvokaterne\.dk$/i"; classtype:trojan-activity; sid:4078761; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain erstatningsadvokaterne.dk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"erstatningsadvokaterne.dk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])erstatningsadvokaterne\.dk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078762; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain work2live.de"; dns.query; content:"work2live.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])work2live\.de$/i"; classtype:trojan-activity; sid:4078771; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain work2live.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"work2live.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])work2live\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078772; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain micro-automation.de"; dns.query; content:"micro-automation.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])micro\-automation\.de$/i"; classtype:trojan-activity; sid:4078781; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain micro-automation.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"micro-automation.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])micro\-automation\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078782; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain cleliaekiko.online"; dns.query; content:"cleliaekiko.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])cleliaekiko\.online$/i"; classtype:trojan-activity; sid:4078791; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain cleliaekiko.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cleliaekiko.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cleliaekiko\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078792; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain wasmachtmeinfonds.at"; dns.query; content:"wasmachtmeinfonds.at"; nocase; pcre: "/(^|[^A-Za-z0-9-])wasmachtmeinfonds\.at$/i"; classtype:trojan-activity; sid:4078801; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain wasmachtmeinfonds.at"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wasmachtmeinfonds.at"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wasmachtmeinfonds\.at[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078802; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain airconditioning-waalwijk.nl"; dns.query; content:"airconditioning-waalwijk.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])airconditioning\-waalwijk\.nl$/i"; classtype:trojan-activity; sid:4078811; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain airconditioning-waalwijk.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"airconditioning-waalwijk.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])airconditioning\-waalwijk\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078812; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain podsosnami.ru"; dns.query; content:"podsosnami.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])podsosnami\.ru$/i"; classtype:trojan-activity; sid:4078821; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain podsosnami.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"podsosnami.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])podsosnami\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078822; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain micahkoleoso.de"; dns.query; content:"micahkoleoso.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])micahkoleoso\.de$/i"; classtype:trojan-activity; sid:4078831; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain micahkoleoso.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"micahkoleoso.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])micahkoleoso\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078832; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain berliner-versicherungsvergleich.de"; dns.query; content:"berliner-versicherungsvergleich.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])berliner\-versicherungsvergleich\.de$/i"; classtype:trojan-activity; sid:4078841; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain berliner-versicherungsvergleich.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"berliner-versicherungsvergleich.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])berliner\-versicherungsvergleich\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078842; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain punchbaby.com"; dns.query; content:"punchbaby.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])punchbaby\.com$/i"; classtype:trojan-activity; sid:4078851; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain punchbaby.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"punchbaby.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])punchbaby\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078852; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain oncarrot.com"; dns.query; content:"oncarrot.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])oncarrot\.com$/i"; classtype:trojan-activity; sid:4078861; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain oncarrot.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"oncarrot.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])oncarrot\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078862; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain kedak.de"; dns.query; content:"kedak.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])kedak\.de$/i"; classtype:trojan-activity; sid:4078871; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain kedak.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kedak.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kedak\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078872; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain fotoscondron.com"; dns.query; content:"fotoscondron.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])fotoscondron\.com$/i"; classtype:trojan-activity; sid:4078881; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain fotoscondron.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fotoscondron.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fotoscondron\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078882; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain themadbotter.com"; dns.query; content:"themadbotter.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])themadbotter\.com$/i"; classtype:trojan-activity; sid:4078891; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain themadbotter.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"themadbotter.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])themadbotter\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078892; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain body-armour.online"; dns.query; content:"body-armour.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])body\-armour\.online$/i"; classtype:trojan-activity; sid:4078901; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain body-armour.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"body-armour.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])body\-armour\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078902; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain insp.bi"; dns.query; content:"insp.bi"; nocase; pcre: "/(^|[^A-Za-z0-9-])insp\.bi$/i"; classtype:trojan-activity; sid:4078911; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain insp.bi"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"insp.bi"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])insp\.bi[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078912; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain physiofischer.de"; dns.query; content:"physiofischer.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])physiofischer\.de$/i"; classtype:trojan-activity; sid:4078921; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain physiofischer.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"physiofischer.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])physiofischer\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078922; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain space.ua"; dns.query; content:"space.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])space\.ua$/i"; classtype:trojan-activity; sid:4078931; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain space.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"space.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])space\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078932; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain lachofikschiet.nl"; dns.query; content:"lachofikschiet.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])lachofikschiet\.nl$/i"; classtype:trojan-activity; sid:4078941; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain lachofikschiet.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lachofikschiet.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lachofikschiet\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078942; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain phantastyk.com"; dns.query; content:"phantastyk.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])phantastyk\.com$/i"; classtype:trojan-activity; sid:4078951; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain phantastyk.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"phantastyk.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])phantastyk\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078952; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain dezatec.es"; dns.query; content:"dezatec.es"; nocase; pcre: "/(^|[^A-Za-z0-9-])dezatec\.es$/i"; classtype:trojan-activity; sid:4078961; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain dezatec.es"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dezatec.es"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dezatec\.es[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078962; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain charlottepoudroux-photographie.fr"; dns.query; content:"charlottepoudroux-photographie.fr"; nocase; pcre: "/(^|[^A-Za-z0-9-])charlottepoudroux\-photographie\.fr$/i"; classtype:trojan-activity; sid:4078971; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain charlottepoudroux-photographie.fr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"charlottepoudroux-photographie.fr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])charlottepoudroux\-photographie\.fr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078972; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain associationanalytics.com"; dns.query; content:"associationanalytics.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])associationanalytics\.com$/i"; classtype:trojan-activity; sid:4078981; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain associationanalytics.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"associationanalytics.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])associationanalytics\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078982; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain vox-surveys.com"; dns.query; content:"vox-surveys.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])vox\-surveys\.com$/i"; classtype:trojan-activity; sid:4078991; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain vox-surveys.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vox-surveys.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vox\-surveys\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4078992; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain daniel-akermann-architektur-und-planung.ch"; dns.query; content:"daniel-akermann-architektur-und-planung.ch"; nocase; pcre: "/(^|[^A-Za-z0-9-])daniel\-akermann\-architektur\-und\-planung\.ch$/i"; classtype:trojan-activity; sid:4079001; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain daniel-akermann-architektur-und-planung.ch"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"daniel-akermann-architektur-und-planung.ch"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])daniel\-akermann\-architektur\-und\-planung\.ch[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079002; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain hugoversichert.de"; dns.query; content:"hugoversichert.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])hugoversichert\.de$/i"; classtype:trojan-activity; sid:4079011; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain hugoversichert.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hugoversichert.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hugoversichert\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079012; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain assurancesalextrespaille.fr"; dns.query; content:"assurancesalextrespaille.fr"; nocase; pcre: "/(^|[^A-Za-z0-9-])assurancesalextrespaille\.fr$/i"; classtype:trojan-activity; sid:4079021; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain assurancesalextrespaille.fr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"assurancesalextrespaille.fr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])assurancesalextrespaille\.fr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079022; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain latestmodsapks.com"; dns.query; content:"latestmodsapks.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])latestmodsapks\.com$/i"; classtype:trojan-activity; sid:4079031; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain latestmodsapks.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"latestmodsapks.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])latestmodsapks\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079032; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain embracinghiscall.com"; dns.query; content:"embracinghiscall.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])embracinghiscall\.com$/i"; classtype:trojan-activity; sid:4079041; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain embracinghiscall.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"embracinghiscall.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])embracinghiscall\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079042; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain webcodingstudio.com"; dns.query; content:"webcodingstudio.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])webcodingstudio\.com$/i"; classtype:trojan-activity; sid:4079051; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain webcodingstudio.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"webcodingstudio.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])webcodingstudio\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079052; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain kafu.ch"; dns.query; content:"kafu.ch"; nocase; pcre: "/(^|[^A-Za-z0-9-])kafu\.ch$/i"; classtype:trojan-activity; sid:4079061; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain kafu.ch"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kafu.ch"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kafu\.ch[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079062; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain digivod.de"; dns.query; content:"digivod.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])digivod\.de$/i"; classtype:trojan-activity; sid:4079071; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain digivod.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"digivod.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])digivod\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079072; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain dinslips.se"; dns.query; content:"dinslips.se"; nocase; pcre: "/(^|[^A-Za-z0-9-])dinslips\.se$/i"; classtype:trojan-activity; sid:4079081; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain dinslips.se"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dinslips.se"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dinslips\.se[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079082; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mapawood.com"; dns.query; content:"mapawood.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mapawood\.com$/i"; classtype:trojan-activity; sid:4079091; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mapawood.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mapawood.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mapawood\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079092; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain theapifactory.com"; dns.query; content:"theapifactory.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])theapifactory\.com$/i"; classtype:trojan-activity; sid:4079101; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain theapifactory.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"theapifactory.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])theapifactory\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079102; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain michaelsmeriglioracing.com"; dns.query; content:"michaelsmeriglioracing.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])michaelsmeriglioracing\.com$/i"; classtype:trojan-activity; sid:4079111; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain michaelsmeriglioracing.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"michaelsmeriglioracing.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])michaelsmeriglioracing\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079112; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain piajeppesen.dk"; dns.query; content:"piajeppesen.dk"; nocase; pcre: "/(^|[^A-Za-z0-9-])piajeppesen\.dk$/i"; classtype:trojan-activity; sid:4079121; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain piajeppesen.dk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"piajeppesen.dk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])piajeppesen\.dk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079122; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mastertechengineering.com"; dns.query; content:"mastertechengineering.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mastertechengineering\.com$/i"; classtype:trojan-activity; sid:4079131; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mastertechengineering.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mastertechengineering.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mastertechengineering\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079132; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname smart-light.co.uk"; dns.query; content:"smart-light.co.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])smart\-light\.co\.uk$/i"; classtype:trojan-activity; sid:4079141; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname smart-light.co.uk"; flow:to_server,established; http.header; content: "Host|3a| smart-light.co.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])smart\-light\.co\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079142; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain lefumetdesdombes.com"; dns.query; content:"lefumetdesdombes.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])lefumetdesdombes\.com$/i"; classtype:trojan-activity; sid:4079151; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain lefumetdesdombes.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lefumetdesdombes.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lefumetdesdombes\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079152; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain antiaginghealthbenefits.com"; dns.query; content:"antiaginghealthbenefits.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])antiaginghealthbenefits\.com$/i"; classtype:trojan-activity; sid:4079161; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain antiaginghealthbenefits.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"antiaginghealthbenefits.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])antiaginghealthbenefits\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079162; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain jameskibbie.com"; dns.query; content:"jameskibbie.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])jameskibbie\.com$/i"; classtype:trojan-activity; sid:4079171; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain jameskibbie.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jameskibbie.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jameskibbie\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079172; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain coding-machine.com"; dns.query; content:"coding-machine.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])coding\-machine\.com$/i"; classtype:trojan-activity; sid:4079181; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain coding-machine.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"coding-machine.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])coding\-machine\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079182; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mediaclan.info"; dns.query; content:"mediaclan.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])mediaclan\.info$/i"; classtype:trojan-activity; sid:4079191; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mediaclan.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mediaclan.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mediaclan\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079192; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain sairaku.net"; dns.query; content:"sairaku.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])sairaku\.net$/i"; classtype:trojan-activity; sid:4079201; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain sairaku.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sairaku.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sairaku\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079202; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain systemate.dk"; dns.query; content:"systemate.dk"; nocase; pcre: "/(^|[^A-Za-z0-9-])systemate\.dk$/i"; classtype:trojan-activity; sid:4079211; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain systemate.dk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"systemate.dk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])systemate\.dk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079212; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain comparatif-lave-linge.fr"; dns.query; content:"comparatif-lave-linge.fr"; nocase; pcre: "/(^|[^A-Za-z0-9-])comparatif\-lave\-linge\.fr$/i"; classtype:trojan-activity; sid:4079221; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain comparatif-lave-linge.fr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"comparatif-lave-linge.fr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])comparatif\-lave\-linge\.fr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079222; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain gantungankunciakrilikbandung.com"; dns.query; content:"gantungankunciakrilikbandung.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])gantungankunciakrilikbandung\.com$/i"; classtype:trojan-activity; sid:4079241; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain gantungankunciakrilikbandung.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gantungankunciakrilikbandung.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gantungankunciakrilikbandung\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079242; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain herbstfeststaefa.ch"; dns.query; content:"herbstfeststaefa.ch"; nocase; pcre: "/(^|[^A-Za-z0-9-])herbstfeststaefa\.ch$/i"; classtype:trojan-activity; sid:4079251; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain herbstfeststaefa.ch"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"herbstfeststaefa.ch"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])herbstfeststaefa\.ch[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079252; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain iwr.nl"; dns.query; content:"iwr.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])iwr\.nl$/i"; classtype:trojan-activity; sid:4079261; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain iwr.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"iwr.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])iwr\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079262; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain buroludo.nl"; dns.query; content:"buroludo.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])buroludo\.nl$/i"; classtype:trojan-activity; sid:4079271; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain buroludo.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"buroludo.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])buroludo\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079272; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain innote.fi"; dns.query; content:"innote.fi"; nocase; pcre: "/(^|[^A-Za-z0-9-])innote\.fi$/i"; classtype:trojan-activity; sid:4079281; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain innote.fi"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"innote.fi"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])innote\.fi[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079282; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain bestbet.com"; dns.query; content:"bestbet.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bestbet\.com$/i"; classtype:trojan-activity; sid:4079291; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain bestbet.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bestbet.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bestbet\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079292; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain carlosja.com"; dns.query; content:"carlosja.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])carlosja\.com$/i"; classtype:trojan-activity; sid:4079301; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain carlosja.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"carlosja.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])carlosja\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079302; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain 365questions.org"; dns.query; content:"365questions.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])365questions\.org$/i"; classtype:trojan-activity; sid:4079311; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain 365questions.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"365questions.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])365questions\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079312; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname milltimber.aberdeen.sch.uk"; dns.query; content:"milltimber.aberdeen.sch.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])milltimber\.aberdeen\.sch\.uk$/i"; classtype:trojan-activity; sid:4079321; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname milltimber.aberdeen.sch.uk"; flow:to_server,established; http.header; content: "Host|3a| milltimber.aberdeen.sch.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])milltimber\.aberdeen\.sch\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079322; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain promalaga.es"; dns.query; content:"promalaga.es"; nocase; pcre: "/(^|[^A-Za-z0-9-])promalaga\.es$/i"; classtype:trojan-activity; sid:4079331; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain promalaga.es"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"promalaga.es"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])promalaga\.es[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079332; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain all-turtles.com"; dns.query; content:"all-turtles.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])all\-turtles\.com$/i"; classtype:trojan-activity; sid:4079341; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain all-turtles.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"all-turtles.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])all\-turtles\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079342; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname alvinschwartz.wordpress.com"; dns.query; content:"alvinschwartz.wordpress.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])alvinschwartz\.wordpress\.com$/i"; classtype:trojan-activity; sid:4079351; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname alvinschwartz.wordpress.com"; flow:to_server,established; http.header; content: "Host|3a| alvinschwartz.wordpress.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])alvinschwartz\.wordpress\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079352; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain socstrp.org"; dns.query; content:"socstrp.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])socstrp\.org$/i"; classtype:trojan-activity; sid:4079361; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain socstrp.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"socstrp.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])socstrp\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079362; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain gopackapp.com"; dns.query; content:"gopackapp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])gopackapp\.com$/i"; classtype:trojan-activity; sid:4079371; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain gopackapp.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gopackapp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gopackapp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079372; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain makeurvoiceheard.com"; dns.query; content:"makeurvoiceheard.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])makeurvoiceheard\.com$/i"; classtype:trojan-activity; sid:4079381; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain makeurvoiceheard.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"makeurvoiceheard.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])makeurvoiceheard\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079382; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mariposapropaneaz.com"; dns.query; content:"mariposapropaneaz.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mariposapropaneaz\.com$/i"; classtype:trojan-activity; sid:4079391; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mariposapropaneaz.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mariposapropaneaz.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mariposapropaneaz\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079392; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain slashdb.com"; dns.query; content:"slashdb.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])slashdb\.com$/i"; classtype:trojan-activity; sid:4079401; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain slashdb.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"slashdb.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])slashdb\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079402; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain shsthepapercut.com"; dns.query; content:"shsthepapercut.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])shsthepapercut\.com$/i"; classtype:trojan-activity; sid:4079411; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain shsthepapercut.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"shsthepapercut.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])shsthepapercut\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079412; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname katiekerr.co.uk"; dns.query; content:"katiekerr.co.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])katiekerr\.co\.uk$/i"; classtype:trojan-activity; sid:4079421; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname katiekerr.co.uk"; flow:to_server,established; http.header; content: "Host|3a| katiekerr.co.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])katiekerr\.co\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079422; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain bigbaguettes.eu"; dns.query; content:"bigbaguettes.eu"; nocase; pcre: "/(^|[^A-Za-z0-9-])bigbaguettes\.eu$/i"; classtype:trojan-activity; sid:4079431; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain bigbaguettes.eu"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bigbaguettes.eu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bigbaguettes\.eu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079432; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname transliminaltribe.wordpress.com"; dns.query; content:"transliminaltribe.wordpress.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])transliminaltribe\.wordpress\.com$/i"; classtype:trojan-activity; sid:4079441; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname transliminaltribe.wordpress.com"; flow:to_server,established; http.header; content: "Host|3a| transliminaltribe.wordpress.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])transliminaltribe\.wordpress\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079442; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain cortec-neuro.com"; dns.query; content:"cortec-neuro.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])cortec\-neuro\.com$/i"; classtype:trojan-activity; sid:4079451; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain cortec-neuro.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cortec-neuro.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cortec\-neuro\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079452; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname smejump.co.th"; dns.query; content:"smejump.co.th"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])smejump\.co\.th$/i"; classtype:trojan-activity; sid:4079461; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname smejump.co.th"; flow:to_server,established; http.header; content: "Host|3a| smejump.co.th"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])smejump\.co\.th[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079462; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain zimmerei-deboer.de"; dns.query; content:"zimmerei-deboer.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])zimmerei\-deboer\.de$/i"; classtype:trojan-activity; sid:4079471; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain zimmerei-deboer.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"zimmerei-deboer.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])zimmerei\-deboer\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079472; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname newstap.com.ng"; dns.query; content:"newstap.com.ng"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])newstap\.com\.ng$/i"; classtype:trojan-activity; sid:4079481; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname newstap.com.ng"; flow:to_server,established; http.header; content: "Host|3a| newstap.com.ng"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])newstap\.com\.ng[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079482; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain vetapharma.fr"; dns.query; content:"vetapharma.fr"; nocase; pcre: "/(^|[^A-Za-z0-9-])vetapharma\.fr$/i"; classtype:trojan-activity; sid:4079491; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain vetapharma.fr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vetapharma.fr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vetapharma\.fr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079492; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain manifestinglab.com"; dns.query; content:"manifestinglab.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])manifestinglab\.com$/i"; classtype:trojan-activity; sid:4079501; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain manifestinglab.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"manifestinglab.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])manifestinglab\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079502; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain onlybacklink.com"; dns.query; content:"onlybacklink.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])onlybacklink\.com$/i"; classtype:trojan-activity; sid:4079511; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain onlybacklink.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"onlybacklink.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])onlybacklink\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079512; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain sandd.nl"; dns.query; content:"sandd.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])sandd\.nl$/i"; classtype:trojan-activity; sid:4079521; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain sandd.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sandd.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sandd\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079522; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname trulynolen.co.uk"; dns.query; content:"trulynolen.co.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])trulynolen\.co\.uk$/i"; classtype:trojan-activity; sid:4079531; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname trulynolen.co.uk"; flow:to_server,established; http.header; content: "Host|3a| trulynolen.co.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])trulynolen\.co\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079532; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain live-con-arte.de"; dns.query; content:"live-con-arte.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])live\-con\-arte\.de$/i"; classtype:trojan-activity; sid:4079541; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain live-con-arte.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"live-con-arte.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])live\-con\-arte\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079542; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain fitnessingbyjessica.com"; dns.query; content:"fitnessingbyjessica.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])fitnessingbyjessica\.com$/i"; classtype:trojan-activity; sid:4079551; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain fitnessingbyjessica.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fitnessingbyjessica.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fitnessingbyjessica\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079552; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain puertamatic.es"; dns.query; content:"puertamatic.es"; nocase; pcre: "/(^|[^A-Za-z0-9-])puertamatic\.es$/i"; classtype:trojan-activity; sid:4079561; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain puertamatic.es"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"puertamatic.es"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])puertamatic\.es[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079562; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain pier40forall.org"; dns.query; content:"pier40forall.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])pier40forall\.org$/i"; classtype:trojan-activity; sid:4079571; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain pier40forall.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pier40forall.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pier40forall\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079572; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain shiresresidential.com"; dns.query; content:"shiresresidential.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])shiresresidential\.com$/i"; classtype:trojan-activity; sid:4079581; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain shiresresidential.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"shiresresidential.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])shiresresidential\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079582; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname dnepr-beskid.com.ua"; dns.query; content:"dnepr-beskid.com.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dnepr\-beskid\.com\.ua$/i"; classtype:trojan-activity; sid:4079591; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname dnepr-beskid.com.ua"; flow:to_server,established; http.header; content: "Host|3a| dnepr-beskid.com.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dnepr\-beskid\.com\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079592; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain creamery201.com"; dns.query; content:"creamery201.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])creamery201\.com$/i"; classtype:trojan-activity; sid:4079601; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain creamery201.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"creamery201.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])creamery201\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079602; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain devstyle.org"; dns.query; content:"devstyle.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])devstyle\.org$/i"; classtype:trojan-activity; sid:4079611; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain devstyle.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"devstyle.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])devstyle\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079612; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain asgestion.com"; dns.query; content:"asgestion.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])asgestion\.com$/i"; classtype:trojan-activity; sid:4079621; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain asgestion.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"asgestion.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])asgestion\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079622; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain amerikansktgodis.se"; dns.query; content:"amerikansktgodis.se"; nocase; pcre: "/(^|[^A-Za-z0-9-])amerikansktgodis\.se$/i"; classtype:trojan-activity; sid:4079631; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain amerikansktgodis.se"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"amerikansktgodis.se"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])amerikansktgodis\.se[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079632; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain bodyforwife.com"; dns.query; content:"bodyforwife.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bodyforwife\.com$/i"; classtype:trojan-activity; sid:4079641; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain bodyforwife.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bodyforwife.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bodyforwife\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079642; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain iviaggisonciliegie.it"; dns.query; content:"iviaggisonciliegie.it"; nocase; pcre: "/(^|[^A-Za-z0-9-])iviaggisonciliegie\.it$/i"; classtype:trojan-activity; sid:4079651; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain iviaggisonciliegie.it"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"iviaggisonciliegie.it"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])iviaggisonciliegie\.it[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079652; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain finde-deine-marke.de"; dns.query; content:"finde-deine-marke.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])finde\-deine\-marke\.de$/i"; classtype:trojan-activity; sid:4079661; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain finde-deine-marke.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"finde-deine-marke.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])finde\-deine\-marke\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079662; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain augenta.com"; dns.query; content:"augenta.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])augenta\.com$/i"; classtype:trojan-activity; sid:4079671; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain augenta.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"augenta.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])augenta\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079672; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain lecantou-coworking.com"; dns.query; content:"lecantou-coworking.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])lecantou\-coworking\.com$/i"; classtype:trojan-activity; sid:4079681; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain lecantou-coworking.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lecantou-coworking.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lecantou\-coworking\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079682; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain seitzdruck.com"; dns.query; content:"seitzdruck.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])seitzdruck\.com$/i"; classtype:trojan-activity; sid:4079691; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain seitzdruck.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"seitzdruck.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])seitzdruck\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079692; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain testcoreprohealthuk.com"; dns.query; content:"testcoreprohealthuk.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])testcoreprohealthuk\.com$/i"; classtype:trojan-activity; sid:4079701; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain testcoreprohealthuk.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"testcoreprohealthuk.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])testcoreprohealthuk\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079702; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname argos.wityu.fund"; dns.query; content:"argos.wityu.fund"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])argos\.wityu\.fund$/i"; classtype:trojan-activity; sid:4079711; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname argos.wityu.fund"; flow:to_server,established; http.header; content: "Host|3a| argos.wityu.fund"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])argos\.wityu\.fund[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079712; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain patrickfoundation.net"; dns.query; content:"patrickfoundation.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])patrickfoundation\.net$/i"; classtype:trojan-activity; sid:4079721; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain patrickfoundation.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"patrickfoundation.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])patrickfoundation\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079722; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain corola.es"; dns.query; content:"corola.es"; nocase; pcre: "/(^|[^A-Za-z0-9-])corola\.es$/i"; classtype:trojan-activity; sid:4079731; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain corola.es"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"corola.es"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])corola\.es[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079732; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain liikelataamo.fi"; dns.query; content:"liikelataamo.fi"; nocase; pcre: "/(^|[^A-Za-z0-9-])liikelataamo\.fi$/i"; classtype:trojan-activity; sid:4079741; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain liikelataamo.fi"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"liikelataamo.fi"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])liikelataamo\.fi[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079742; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain marcuswhitten.site"; dns.query; content:"marcuswhitten.site"; nocase; pcre: "/(^|[^A-Za-z0-9-])marcuswhitten\.site$/i"; classtype:trojan-activity; sid:4079751; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain marcuswhitten.site"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"marcuswhitten.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])marcuswhitten\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079752; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain baumkuchenexpo.jp"; dns.query; content:"baumkuchenexpo.jp"; nocase; pcre: "/(^|[^A-Za-z0-9-])baumkuchenexpo\.jp$/i"; classtype:trojan-activity; sid:4079761; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain baumkuchenexpo.jp"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"baumkuchenexpo.jp"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])baumkuchenexpo\.jp[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079762; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain tinyagency.com"; dns.query; content:"tinyagency.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])tinyagency\.com$/i"; classtype:trojan-activity; sid:4079771; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain tinyagency.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tinyagency.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tinyagency\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079772; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain delawarecorporatelaw.com"; dns.query; content:"delawarecorporatelaw.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])delawarecorporatelaw\.com$/i"; classtype:trojan-activity; sid:4079781; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain delawarecorporatelaw.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"delawarecorporatelaw.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])delawarecorporatelaw\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079782; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain solhaug.tk"; dns.query; content:"solhaug.tk"; nocase; pcre: "/(^|[^A-Za-z0-9-])solhaug\.tk$/i"; classtype:trojan-activity; sid:4079791; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain solhaug.tk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"solhaug.tk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])solhaug\.tk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079792; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain modelmaking.nl"; dns.query; content:"modelmaking.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])modelmaking\.nl$/i"; classtype:trojan-activity; sid:4079801; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain modelmaking.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"modelmaking.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])modelmaking\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079802; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain balticdermatology.lt"; dns.query; content:"balticdermatology.lt"; nocase; pcre: "/(^|[^A-Za-z0-9-])balticdermatology\.lt$/i"; classtype:trojan-activity; sid:4079811; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain balticdermatology.lt"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"balticdermatology.lt"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])balticdermatology\.lt[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079812; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain lmtprovisions.com"; dns.query; content:"lmtprovisions.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])lmtprovisions\.com$/i"; classtype:trojan-activity; sid:4079821; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain lmtprovisions.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lmtprovisions.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lmtprovisions\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079822; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain blacksirius.de"; dns.query; content:"blacksirius.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])blacksirius\.de$/i"; classtype:trojan-activity; sid:4079831; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain blacksirius.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"blacksirius.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])blacksirius\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079832; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain bee4win.com"; dns.query; content:"bee4win.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bee4win\.com$/i"; classtype:trojan-activity; sid:4079841; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain bee4win.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bee4win.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bee4win\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079842; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain smartypractice.com"; dns.query; content:"smartypractice.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])smartypractice\.com$/i"; classtype:trojan-activity; sid:4079851; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain smartypractice.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"smartypractice.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])smartypractice\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079852; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain daklesa.de"; dns.query; content:"daklesa.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])daklesa\.de$/i"; classtype:trojan-activity; sid:4079861; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain daklesa.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"daklesa.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])daklesa\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079862; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain gw2guilds.org"; dns.query; content:"gw2guilds.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])gw2guilds\.org$/i"; classtype:trojan-activity; sid:4079871; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain gw2guilds.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gw2guilds.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gw2guilds\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079872; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain heliomotion.com"; dns.query; content:"heliomotion.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])heliomotion\.com$/i"; classtype:trojan-activity; sid:4079881; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain heliomotion.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"heliomotion.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])heliomotion\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079882; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname ceres.org.au"; dns.query; content:"ceres.org.au"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ceres\.org\.au$/i"; classtype:trojan-activity; sid:4079891; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname ceres.org.au"; flow:to_server,established; http.header; content: "Host|3a| ceres.org.au"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ceres\.org\.au[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079892; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain cheminpsy.fr"; dns.query; content:"cheminpsy.fr"; nocase; pcre: "/(^|[^A-Za-z0-9-])cheminpsy\.fr$/i"; classtype:trojan-activity; sid:4079901; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain cheminpsy.fr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cheminpsy.fr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cheminpsy\.fr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079902; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain vorotauu.ru"; dns.query; content:"vorotauu.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])vorotauu\.ru$/i"; classtype:trojan-activity; sid:4079911; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain vorotauu.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vorotauu.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vorotauu\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079912; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain zweerscreatives.nl"; dns.query; content:"zweerscreatives.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])zweerscreatives\.nl$/i"; classtype:trojan-activity; sid:4079921; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain zweerscreatives.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"zweerscreatives.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])zweerscreatives\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079922; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain gonzalezfornes.es"; dns.query; content:"gonzalezfornes.es"; nocase; pcre: "/(^|[^A-Za-z0-9-])gonzalezfornes\.es$/i"; classtype:trojan-activity; sid:4079931; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain gonzalezfornes.es"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gonzalezfornes.es"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gonzalezfornes\.es[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079932; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain uranus.nl"; dns.query; content:"uranus.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])uranus\.nl$/i"; classtype:trojan-activity; sid:4079941; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain uranus.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uranus.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uranus\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079942; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain kojinsaisei.info"; dns.query; content:"kojinsaisei.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])kojinsaisei\.info$/i"; classtype:trojan-activity; sid:4079951; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain kojinsaisei.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kojinsaisei.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kojinsaisei\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079952; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain markelbroch.com"; dns.query; content:"markelbroch.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])markelbroch\.com$/i"; classtype:trojan-activity; sid:4079961; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain markelbroch.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"markelbroch.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])markelbroch\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079962; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain helenekowalsky.com"; dns.query; content:"helenekowalsky.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])helenekowalsky\.com$/i"; classtype:trojan-activity; sid:4079971; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain helenekowalsky.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"helenekowalsky.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])helenekowalsky\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079972; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain sporthamper.com"; dns.query; content:"sporthamper.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sporthamper\.com$/i"; classtype:trojan-activity; sid:4079981; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain sporthamper.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sporthamper.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sporthamper\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079982; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain montrium.com"; dns.query; content:"montrium.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])montrium\.com$/i"; classtype:trojan-activity; sid:4079991; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain montrium.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"montrium.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])montrium\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4079992; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain merzi.info"; dns.query; content:"merzi.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])merzi\.info$/i"; classtype:trojan-activity; sid:4080001; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain merzi.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"merzi.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])merzi\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080002; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain binder-buerotechnik.at"; dns.query; content:"binder-buerotechnik.at"; nocase; pcre: "/(^|[^A-Za-z0-9-])binder\-buerotechnik\.at$/i"; classtype:trojan-activity; sid:4080011; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain binder-buerotechnik.at"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"binder-buerotechnik.at"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])binder\-buerotechnik\.at[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080012; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain antonmack.de"; dns.query; content:"antonmack.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])antonmack\.de$/i"; classtype:trojan-activity; sid:4080021; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain antonmack.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"antonmack.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])antonmack\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080022; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mooglee.com"; dns.query; content:"mooglee.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mooglee\.com$/i"; classtype:trojan-activity; sid:4080031; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mooglee.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mooglee.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mooglee\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080032; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mountaintoptinyhomes.com"; dns.query; content:"mountaintoptinyhomes.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mountaintoptinyhomes\.com$/i"; classtype:trojan-activity; sid:4080041; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mountaintoptinyhomes.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mountaintoptinyhomes.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mountaintoptinyhomes\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080042; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain otsu-bon.com"; dns.query; content:"otsu-bon.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])otsu\-bon\.com$/i"; classtype:trojan-activity; sid:4080051; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain otsu-bon.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"otsu-bon.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])otsu\-bon\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080052; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain allentownpapershow.com"; dns.query; content:"allentownpapershow.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])allentownpapershow\.com$/i"; classtype:trojan-activity; sid:4080061; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain allentownpapershow.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"allentownpapershow.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])allentownpapershow\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080062; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain bargningavesta.se"; dns.query; content:"bargningavesta.se"; nocase; pcre: "/(^|[^A-Za-z0-9-])bargningavesta\.se$/i"; classtype:trojan-activity; sid:4080071; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain bargningavesta.se"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bargningavesta.se"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bargningavesta\.se[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080072; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain lubetkinmediacompanies.com"; dns.query; content:"lubetkinmediacompanies.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])lubetkinmediacompanies\.com$/i"; classtype:trojan-activity; sid:4080081; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain lubetkinmediacompanies.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lubetkinmediacompanies.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lubetkinmediacompanies\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080082; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain blood-sports.net"; dns.query; content:"blood-sports.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])blood\-sports\.net$/i"; classtype:trojan-activity; sid:4080091; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain blood-sports.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"blood-sports.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])blood\-sports\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080092; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain blogdecachorros.com"; dns.query; content:"blogdecachorros.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])blogdecachorros\.com$/i"; classtype:trojan-activity; sid:4080101; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain blogdecachorros.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"blogdecachorros.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])blogdecachorros\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080102; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain bloggyboulga.net"; dns.query; content:"bloggyboulga.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])bloggyboulga\.net$/i"; classtype:trojan-activity; sid:4080111; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain bloggyboulga.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bloggyboulga.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bloggyboulga\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080112; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain suncrestcabinets.ca"; dns.query; content:"suncrestcabinets.ca"; nocase; pcre: "/(^|[^A-Za-z0-9-])suncrestcabinets\.ca$/i"; classtype:trojan-activity; sid:4080121; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain suncrestcabinets.ca"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"suncrestcabinets.ca"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])suncrestcabinets\.ca[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080122; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain advokathuset.dk"; dns.query; content:"advokathuset.dk"; nocase; pcre: "/(^|[^A-Za-z0-9-])advokathuset\.dk$/i"; classtype:trojan-activity; sid:4080131; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain advokathuset.dk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"advokathuset.dk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])advokathuset\.dk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080132; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mousepad-direkt.de"; dns.query; content:"mousepad-direkt.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])mousepad\-direkt\.de$/i"; classtype:trojan-activity; sid:4080141; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mousepad-direkt.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mousepad-direkt.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mousepad\-direkt\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080142; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain porno-gringo.com"; dns.query; content:"porno-gringo.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])porno\-gringo\.com$/i"; classtype:trojan-activity; sid:4080151; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain porno-gringo.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"porno-gringo.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])porno\-gringo\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080152; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain x-ray.ca"; dns.query; content:"x-ray.ca"; nocase; pcre: "/(^|[^A-Za-z0-9-])x\-ray\.ca$/i"; classtype:trojan-activity; sid:4080161; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain x-ray.ca"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"x-ray.ca"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])x\-ray\.ca[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080162; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain bridgeloanslenders.com"; dns.query; content:"bridgeloanslenders.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bridgeloanslenders\.com$/i"; classtype:trojan-activity; sid:4080171; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain bridgeloanslenders.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bridgeloanslenders.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bridgeloanslenders\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080172; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain groupe-cets.com"; dns.query; content:"groupe-cets.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])groupe\-cets\.com$/i"; classtype:trojan-activity; sid:4080181; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain groupe-cets.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"groupe-cets.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])groupe\-cets\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080182; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain wraithco.com"; dns.query; content:"wraithco.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])wraithco\.com$/i"; classtype:trojan-activity; sid:4080191; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain wraithco.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wraithco.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wraithco\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080192; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain luxurytv.jp"; dns.query; content:"luxurytv.jp"; nocase; pcre: "/(^|[^A-Za-z0-9-])luxurytv\.jp$/i"; classtype:trojan-activity; sid:4080201; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain luxurytv.jp"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"luxurytv.jp"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])luxurytv\.jp[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080202; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain foretprivee.ca"; dns.query; content:"foretprivee.ca"; nocase; pcre: "/(^|[^A-Za-z0-9-])foretprivee\.ca$/i"; classtype:trojan-activity; sid:4080211; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain foretprivee.ca"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"foretprivee.ca"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])foretprivee\.ca[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080212; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain todocaracoles.com"; dns.query; content:"todocaracoles.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])todocaracoles\.com$/i"; classtype:trojan-activity; sid:4080221; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain todocaracoles.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"todocaracoles.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])todocaracoles\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080222; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain psnacademy.in"; dns.query; content:"psnacademy.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])psnacademy\.in$/i"; classtype:trojan-activity; sid:4080231; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain psnacademy.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"psnacademy.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])psnacademy\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080232; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain besttechie.com"; dns.query; content:"besttechie.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])besttechie\.com$/i"; classtype:trojan-activity; sid:4080241; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain besttechie.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"besttechie.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])besttechie\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080242; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain panelsandwichmadrid.es"; dns.query; content:"panelsandwichmadrid.es"; nocase; pcre: "/(^|[^A-Za-z0-9-])panelsandwichmadrid\.es$/i"; classtype:trojan-activity; sid:4080251; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain panelsandwichmadrid.es"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"panelsandwichmadrid.es"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])panelsandwichmadrid\.es[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080252; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain skiltogprint.no"; dns.query; content:"skiltogprint.no"; nocase; pcre: "/(^|[^A-Za-z0-9-])skiltogprint\.no$/i"; classtype:trojan-activity; sid:4080261; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain skiltogprint.no"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"skiltogprint.no"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])skiltogprint\.no[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080262; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain haar-spange.com"; dns.query; content:"haar-spange.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])haar\-spange\.com$/i"; classtype:trojan-activity; sid:4080271; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain haar-spange.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"haar-spange.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])haar\-spange\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080272; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain penco.ie"; dns.query; content:"penco.ie"; nocase; pcre: "/(^|[^A-Za-z0-9-])penco\.ie$/i"; classtype:trojan-activity; sid:4080281; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain penco.ie"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"penco.ie"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])penco\.ie[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080282; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain schraven.de"; dns.query; content:"schraven.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])schraven\.de$/i"; classtype:trojan-activity; sid:4080291; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain schraven.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"schraven.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])schraven\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080292; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname you-bysia.com.au"; dns.query; content:"you-bysia.com.au"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])you\-bysia\.com\.au$/i"; classtype:trojan-activity; sid:4080301; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname you-bysia.com.au"; flow:to_server,established; http.header; content: "Host|3a| you-bysia.com.au"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])you\-bysia\.com\.au[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080302; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname kaliber.co.jp"; dns.query; content:"kaliber.co.jp"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])kaliber\.co\.jp$/i"; classtype:trojan-activity; sid:4080311; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname kaliber.co.jp"; flow:to_server,established; http.header; content: "Host|3a| kaliber.co.jp"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])kaliber\.co\.jp[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080312; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain songunceliptv.com"; dns.query; content:"songunceliptv.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])songunceliptv\.com$/i"; classtype:trojan-activity; sid:4080321; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain songunceliptv.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"songunceliptv.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])songunceliptv\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080322; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain teknoz.net"; dns.query; content:"teknoz.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])teknoz\.net$/i"; classtype:trojan-activity; sid:4080331; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain teknoz.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"teknoz.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])teknoz\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080332; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ilcdover.com"; dns.query; content:"ilcdover.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ilcdover\.com$/i"; classtype:trojan-activity; sid:4080341; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ilcdover.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ilcdover.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ilcdover\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080342; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname pubweb.carnet.hr"; dns.query; content:"pubweb.carnet.hr"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])pubweb\.carnet\.hr$/i"; classtype:trojan-activity; sid:4080351; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname pubweb.carnet.hr"; flow:to_server,established; http.header; content: "Host|3a| pubweb.carnet.hr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])pubweb\.carnet\.hr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080352; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain gemeentehetkompas.nl"; dns.query; content:"gemeentehetkompas.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])gemeentehetkompas\.nl$/i"; classtype:trojan-activity; sid:4080361; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain gemeentehetkompas.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gemeentehetkompas.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gemeentehetkompas\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080362; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain bouquet-de-roses.com"; dns.query; content:"bouquet-de-roses.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bouquet\-de\-roses\.com$/i"; classtype:trojan-activity; sid:4080371; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain bouquet-de-roses.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bouquet-de-roses.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bouquet\-de\-roses\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080372; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain planchaavapor.net"; dns.query; content:"planchaavapor.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])planchaavapor\.net$/i"; classtype:trojan-activity; sid:4080381; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain planchaavapor.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"planchaavapor.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])planchaavapor\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080382; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain autofolierung-lu.de"; dns.query; content:"autofolierung-lu.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])autofolierung\-lu\.de$/i"; classtype:trojan-activity; sid:4080391; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain autofolierung-lu.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"autofolierung-lu.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])autofolierung\-lu\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080392; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain no-plans.com"; dns.query; content:"no-plans.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])no\-plans\.com$/i"; classtype:trojan-activity; sid:4080401; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain no-plans.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"no-plans.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])no\-plans\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080402; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname tradiematepro.com.au"; dns.query; content:"tradiematepro.com.au"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])tradiematepro\.com\.au$/i"; classtype:trojan-activity; sid:4080411; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname tradiematepro.com.au"; flow:to_server,established; http.header; content: "Host|3a| tradiematepro.com.au"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])tradiematepro\.com\.au[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080412; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain krlosdavid.com"; dns.query; content:"krlosdavid.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])krlosdavid\.com$/i"; classtype:trojan-activity; sid:4080421; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain krlosdavid.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"krlosdavid.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])krlosdavid\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080422; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ladelirante.fr"; dns.query; content:"ladelirante.fr"; nocase; pcre: "/(^|[^A-Za-z0-9-])ladelirante\.fr$/i"; classtype:trojan-activity; sid:4080431; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ladelirante.fr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ladelirante.fr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ladelirante\.fr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080432; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain clos-galant.com"; dns.query; content:"clos-galant.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])clos\-galant\.com$/i"; classtype:trojan-activity; sid:4080441; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain clos-galant.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"clos-galant.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])clos\-galant\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080442; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain luckypatcher-apkz.com"; dns.query; content:"luckypatcher-apkz.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])luckypatcher\-apkz\.com$/i"; classtype:trojan-activity; sid:4080451; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain luckypatcher-apkz.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"luckypatcher-apkz.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])luckypatcher\-apkz\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080452; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain supportsumba.nl"; dns.query; content:"supportsumba.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])supportsumba\.nl$/i"; classtype:trojan-activity; sid:4080461; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain supportsumba.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"supportsumba.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])supportsumba\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080462; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain qualitaetstag.de"; dns.query; content:"qualitaetstag.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])qualitaetstag\.de$/i"; classtype:trojan-activity; sid:4080471; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain qualitaetstag.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"qualitaetstag.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])qualitaetstag\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080472; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain advizewealth.com"; dns.query; content:"advizewealth.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])advizewealth\.com$/i"; classtype:trojan-activity; sid:4080481; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain advizewealth.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"advizewealth.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])advizewealth\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080482; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname myhealth.net.au"; dns.query; content:"myhealth.net.au"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])myhealth\.net\.au$/i"; classtype:trojan-activity; sid:4080491; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname myhealth.net.au"; flow:to_server,established; http.header; content: "Host|3a| myhealth.net.au"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])myhealth\.net\.au[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080492; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain run4study.com"; dns.query; content:"run4study.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])run4study\.com$/i"; classtype:trojan-activity; sid:4080501; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain run4study.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"run4study.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])run4study\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080502; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain better.town"; dns.query; content:"better.town"; nocase; pcre: "/(^|[^A-Za-z0-9-])better\.town$/i"; classtype:trojan-activity; sid:4080511; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain better.town"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"better.town"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])better\.town[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080512; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain igrealestate.com"; dns.query; content:"igrealestate.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])igrealestate\.com$/i"; classtype:trojan-activity; sid:4080521; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain igrealestate.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"igrealestate.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])igrealestate\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080522; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain bargningharnosand.se"; dns.query; content:"bargningharnosand.se"; nocase; pcre: "/(^|[^A-Za-z0-9-])bargningharnosand\.se$/i"; classtype:trojan-activity; sid:4080531; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain bargningharnosand.se"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bargningharnosand.se"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bargningharnosand\.se[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080532; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain stoeberstuuv.de"; dns.query; content:"stoeberstuuv.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])stoeberstuuv\.de$/i"; classtype:trojan-activity; sid:4080541; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain stoeberstuuv.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"stoeberstuuv.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])stoeberstuuv\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080542; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain sauschneider.info"; dns.query; content:"sauschneider.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])sauschneider\.info$/i"; classtype:trojan-activity; sid:4080551; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain sauschneider.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sauschneider.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sauschneider\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080552; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain alysonhoward.com"; dns.query; content:"alysonhoward.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])alysonhoward\.com$/i"; classtype:trojan-activity; sid:4080561; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain alysonhoward.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"alysonhoward.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])alysonhoward\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080562; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain braffinjurylawfirm.com"; dns.query; content:"braffinjurylawfirm.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])braffinjurylawfirm\.com$/i"; classtype:trojan-activity; sid:4080571; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain braffinjurylawfirm.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"braffinjurylawfirm.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])braffinjurylawfirm\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080572; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain nacktfalter.de"; dns.query; content:"nacktfalter.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])nacktfalter\.de$/i"; classtype:trojan-activity; sid:4080581; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain nacktfalter.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nacktfalter.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nacktfalter\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080582; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain summitmarketingstrategies.com"; dns.query; content:"summitmarketingstrategies.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])summitmarketingstrategies\.com$/i"; classtype:trojan-activity; sid:4080591; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain summitmarketingstrategies.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"summitmarketingstrategies.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])summitmarketingstrategies\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080592; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain hvccfloorcare.com"; dns.query; content:"hvccfloorcare.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])hvccfloorcare\.com$/i"; classtype:trojan-activity; sid:4080601; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain hvccfloorcare.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hvccfloorcare.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hvccfloorcare\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080602; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain edv-live.de"; dns.query; content:"edv-live.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])edv\-live\.de$/i"; classtype:trojan-activity; sid:4080611; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain edv-live.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"edv-live.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])edv\-live\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080612; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname bunburyfreightservices.com.au"; dns.query; content:"bunburyfreightservices.com.au"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bunburyfreightservices\.com\.au$/i"; classtype:trojan-activity; sid:4080621; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname bunburyfreightservices.com.au"; flow:to_server,established; http.header; content: "Host|3a| bunburyfreightservices.com.au"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bunburyfreightservices\.com\.au[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080622; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain sagadc.com"; dns.query; content:"sagadc.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sagadc\.com$/i"; classtype:trojan-activity; sid:4080631; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain sagadc.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sagadc.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sagadc\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080632; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain otto-bollmann.de"; dns.query; content:"otto-bollmann.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])otto\-bollmann\.de$/i"; classtype:trojan-activity; sid:4080641; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain otto-bollmann.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"otto-bollmann.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])otto\-bollmann\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080642; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain aarvorg.com"; dns.query; content:"aarvorg.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])aarvorg\.com$/i"; classtype:trojan-activity; sid:4080651; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain aarvorg.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aarvorg.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aarvorg\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080652; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain garage-lecompte-rouen.fr"; dns.query; content:"garage-lecompte-rouen.fr"; nocase; pcre: "/(^|[^A-Za-z0-9-])garage\-lecompte\-rouen\.fr$/i"; classtype:trojan-activity; sid:4080661; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain garage-lecompte-rouen.fr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"garage-lecompte-rouen.fr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])garage\-lecompte\-rouen\.fr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080662; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain div-vertriebsforschung.de"; dns.query; content:"div-vertriebsforschung.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])div\-vertriebsforschung\.de$/i"; classtype:trojan-activity; sid:4080671; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain div-vertriebsforschung.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"div-vertriebsforschung.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])div\-vertriebsforschung\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080672; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain xoabigail.com"; dns.query; content:"xoabigail.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])xoabigail\.com$/i"; classtype:trojan-activity; sid:4080681; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain xoabigail.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"xoabigail.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])xoabigail\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080682; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain toreria.es"; dns.query; content:"toreria.es"; nocase; pcre: "/(^|[^A-Za-z0-9-])toreria\.es$/i"; classtype:trojan-activity; sid:4080691; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain toreria.es"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"toreria.es"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])toreria\.es[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080692; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain completeweddingkansas.com"; dns.query; content:"completeweddingkansas.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])completeweddingkansas\.com$/i"; classtype:trojan-activity; sid:4080701; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain completeweddingkansas.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"completeweddingkansas.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])completeweddingkansas\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080702; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain huissier-creteil.com"; dns.query; content:"huissier-creteil.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])huissier\-creteil\.com$/i"; classtype:trojan-activity; sid:4080711; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain huissier-creteil.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"huissier-creteil.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])huissier\-creteil\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080712; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname c-a.co.in"; dns.query; content:"c-a.co.in"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])c\-a\.co\.in$/i"; classtype:trojan-activity; sid:4080721; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname c-a.co.in"; flow:to_server,established; http.header; content: "Host|3a| c-a.co.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])c\-a\.co\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080722; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname lynsayshepherd.co.uk"; dns.query; content:"lynsayshepherd.co.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])lynsayshepherd\.co\.uk$/i"; classtype:trojan-activity; sid:4080731; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname lynsayshepherd.co.uk"; flow:to_server,established; http.header; content: "Host|3a| lynsayshepherd.co.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])lynsayshepherd\.co\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080732; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain visiativ-industry.fr"; dns.query; content:"visiativ-industry.fr"; nocase; pcre: "/(^|[^A-Za-z0-9-])visiativ\-industry\.fr$/i"; classtype:trojan-activity; sid:4080741; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain visiativ-industry.fr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"visiativ-industry.fr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])visiativ\-industry\.fr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080742; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ecoledansemulhouse.fr"; dns.query; content:"ecoledansemulhouse.fr"; nocase; pcre: "/(^|[^A-Za-z0-9-])ecoledansemulhouse\.fr$/i"; classtype:trojan-activity; sid:4080751; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ecoledansemulhouse.fr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ecoledansemulhouse.fr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ecoledansemulhouse\.fr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080752; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain quickyfunds.com"; dns.query; content:"quickyfunds.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])quickyfunds\.com$/i"; classtype:trojan-activity; sid:4080761; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain quickyfunds.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"quickyfunds.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])quickyfunds\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080762; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain stopilhan.com"; dns.query; content:"stopilhan.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])stopilhan\.com$/i"; classtype:trojan-activity; sid:4080771; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain stopilhan.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"stopilhan.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])stopilhan\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080772; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain nativeformulas.com"; dns.query; content:"nativeformulas.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])nativeformulas\.com$/i"; classtype:trojan-activity; sid:4080781; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain nativeformulas.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nativeformulas.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nativeformulas\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080782; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain hashkasolutindo.com"; dns.query; content:"hashkasolutindo.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])hashkasolutindo\.com$/i"; classtype:trojan-activity; sid:4080791; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain hashkasolutindo.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hashkasolutindo.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hashkasolutindo\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080792; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain travelffeine.com"; dns.query; content:"travelffeine.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])travelffeine\.com$/i"; classtype:trojan-activity; sid:4080801; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain travelffeine.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"travelffeine.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])travelffeine\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080802; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain labobit.it"; dns.query; content:"labobit.it"; nocase; pcre: "/(^|[^A-Za-z0-9-])labobit\.it$/i"; classtype:trojan-activity; sid:4080811; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain labobit.it"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"labobit.it"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])labobit\.it[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080812; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain abitur-undwieweiter.de"; dns.query; content:"abitur-undwieweiter.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])abitur\-undwieweiter\.de$/i"; classtype:trojan-activity; sid:4080821; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain abitur-undwieweiter.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"abitur-undwieweiter.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])abitur\-undwieweiter\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080822; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain sahalstore.com"; dns.query; content:"sahalstore.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sahalstore\.com$/i"; classtype:trojan-activity; sid:4080831; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain sahalstore.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sahalstore.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sahalstore\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080832; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain jacquin-maquettes.com"; dns.query; content:"jacquin-maquettes.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])jacquin\-maquettes\.com$/i"; classtype:trojan-activity; sid:4080841; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain jacquin-maquettes.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jacquin-maquettes.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jacquin\-maquettes\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080842; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain xlarge.at"; dns.query; content:"xlarge.at"; nocase; pcre: "/(^|[^A-Za-z0-9-])xlarge\.at$/i"; classtype:trojan-activity; sid:4080851; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain xlarge.at"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"xlarge.at"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])xlarge\.at[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080852; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain jolly-events.com"; dns.query; content:"jolly-events.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])jolly\-events\.com$/i"; classtype:trojan-activity; sid:4080861; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain jolly-events.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jolly-events.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jolly\-events\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080862; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain bodyfulls.com"; dns.query; content:"bodyfulls.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bodyfulls\.com$/i"; classtype:trojan-activity; sid:4080871; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain bodyfulls.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bodyfulls.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bodyfulls\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080872; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain architekturbuero-wagner.net"; dns.query; content:"architekturbuero-wagner.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])architekturbuero\-wagner\.net$/i"; classtype:trojan-activity; sid:4080881; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain architekturbuero-wagner.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"architekturbuero-wagner.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])architekturbuero\-wagner\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080882; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain 2ekeus.nl"; dns.query; content:"2ekeus.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])2ekeus\.nl$/i"; classtype:trojan-activity; sid:4080891; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain 2ekeus.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"2ekeus.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])2ekeus\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080892; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain berlin-bamboo-bikes.org"; dns.query; content:"berlin-bamboo-bikes.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])berlin\-bamboo\-bikes\.org$/i"; classtype:trojan-activity; sid:4080901; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain berlin-bamboo-bikes.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"berlin-bamboo-bikes.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])berlin\-bamboo\-bikes\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080902; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain sportsmassoren.com"; dns.query; content:"sportsmassoren.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sportsmassoren\.com$/i"; classtype:trojan-activity; sid:4080911; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain sportsmassoren.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sportsmassoren.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sportsmassoren\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080912; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain lange.host"; dns.query; content:"lange.host"; nocase; pcre: "/(^|[^A-Za-z0-9-])lange\.host$/i"; classtype:trojan-activity; sid:4080921; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain lange.host"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lange.host"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lange\.host[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080922; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain rehabilitationcentersinhouston.net"; dns.query; content:"rehabilitationcentersinhouston.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])rehabilitationcentersinhouston\.net$/i"; classtype:trojan-activity; sid:4080931; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain rehabilitationcentersinhouston.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"rehabilitationcentersinhouston.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])rehabilitationcentersinhouston\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080932; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ligiercenter-sachsen.de"; dns.query; content:"ligiercenter-sachsen.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])ligiercenter\-sachsen\.de$/i"; classtype:trojan-activity; sid:4080941; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ligiercenter-sachsen.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ligiercenter-sachsen.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ligiercenter\-sachsen\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080942; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain readberserk.com"; dns.query; content:"readberserk.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])readberserk\.com$/i"; classtype:trojan-activity; sid:4080951; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain readberserk.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"readberserk.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])readberserk\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080952; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain biortaggivaldelsa.com"; dns.query; content:"biortaggivaldelsa.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])biortaggivaldelsa\.com$/i"; classtype:trojan-activity; sid:4080961; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain biortaggivaldelsa.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"biortaggivaldelsa.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])biortaggivaldelsa\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080962; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain jvanvlietdichter.nl"; dns.query; content:"jvanvlietdichter.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])jvanvlietdichter\.nl$/i"; classtype:trojan-activity; sid:4080971; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain jvanvlietdichter.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jvanvlietdichter.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jvanvlietdichter\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080972; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain c2e-poitiers.com"; dns.query; content:"c2e-poitiers.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])c2e\-poitiers\.com$/i"; classtype:trojan-activity; sid:4080981; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain c2e-poitiers.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"c2e-poitiers.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])c2e\-poitiers\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080982; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ampisolabergeggi.it"; dns.query; content:"ampisolabergeggi.it"; nocase; pcre: "/(^|[^A-Za-z0-9-])ampisolabergeggi\.it$/i"; classtype:trojan-activity; sid:4080991; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ampisolabergeggi.it"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ampisolabergeggi.it"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ampisolabergeggi\.it[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4080992; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain aurum-juweliere.de"; dns.query; content:"aurum-juweliere.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])aurum\-juweliere\.de$/i"; classtype:trojan-activity; sid:4081001; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain aurum-juweliere.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aurum-juweliere.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aurum\-juweliere\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081002; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain nestor-swiss.ch"; dns.query; content:"nestor-swiss.ch"; nocase; pcre: "/(^|[^A-Za-z0-9-])nestor\-swiss\.ch$/i"; classtype:trojan-activity; sid:4081011; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain nestor-swiss.ch"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nestor-swiss.ch"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nestor\-swiss\.ch[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081012; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mrsplans.net"; dns.query; content:"mrsplans.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])mrsplans\.net$/i"; classtype:trojan-activity; sid:4081021; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mrsplans.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mrsplans.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mrsplans\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081022; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain marathonerpaolo.com"; dns.query; content:"marathonerpaolo.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])marathonerpaolo\.com$/i"; classtype:trojan-activity; sid:4081031; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain marathonerpaolo.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"marathonerpaolo.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])marathonerpaolo\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081032; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain nsec.se"; dns.query; content:"nsec.se"; nocase; pcre: "/(^|[^A-Za-z0-9-])nsec\.se$/i"; classtype:trojan-activity; sid:4081041; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain nsec.se"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nsec.se"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nsec\.se[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081042; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain edgewoodestates.org"; dns.query; content:"edgewoodestates.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])edgewoodestates\.org$/i"; classtype:trojan-activity; sid:4081051; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain edgewoodestates.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"edgewoodestates.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])edgewoodestates\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081052; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain firstpaymentservices.com"; dns.query; content:"firstpaymentservices.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])firstpaymentservices\.com$/i"; classtype:trojan-activity; sid:4081061; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain firstpaymentservices.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"firstpaymentservices.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])firstpaymentservices\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081062; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain strandcampingdoonbeg.com"; dns.query; content:"strandcampingdoonbeg.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])strandcampingdoonbeg\.com$/i"; classtype:trojan-activity; sid:4081071; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain strandcampingdoonbeg.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"strandcampingdoonbeg.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])strandcampingdoonbeg\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081072; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain cerebralforce.net"; dns.query; content:"cerebralforce.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])cerebralforce\.net$/i"; classtype:trojan-activity; sid:4081081; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain cerebralforce.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cerebralforce.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cerebralforce\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081082; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mrtour.site"; dns.query; content:"mrtour.site"; nocase; pcre: "/(^|[^A-Za-z0-9-])mrtour\.site$/i"; classtype:trojan-activity; sid:4081091; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mrtour.site"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mrtour.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mrtour\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081092; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain precisionbevel.com"; dns.query; content:"precisionbevel.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])precisionbevel\.com$/i"; classtype:trojan-activity; sid:4081101; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain precisionbevel.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"precisionbevel.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])precisionbevel\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081102; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain roygolden.com"; dns.query; content:"roygolden.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])roygolden\.com$/i"; classtype:trojan-activity; sid:4081111; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain roygolden.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"roygolden.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])roygolden\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081112; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain haremnick.com"; dns.query; content:"haremnick.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])haremnick\.com$/i"; classtype:trojan-activity; sid:4081121; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain haremnick.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"haremnick.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])haremnick\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081122; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname lukeshepley.wordpress.com"; dns.query; content:"lukeshepley.wordpress.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])lukeshepley\.wordpress\.com$/i"; classtype:trojan-activity; sid:4081131; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname lukeshepley.wordpress.com"; flow:to_server,established; http.header; content: "Host|3a| lukeshepley.wordpress.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])lukeshepley\.wordpress\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081132; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain adoptioperheet.fi"; dns.query; content:"adoptioperheet.fi"; nocase; pcre: "/(^|[^A-Za-z0-9-])adoptioperheet\.fi$/i"; classtype:trojan-activity; sid:4081141; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain adoptioperheet.fi"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"adoptioperheet.fi"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])adoptioperheet\.fi[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081142; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain slimidealherbal.com"; dns.query; content:"slimidealherbal.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])slimidealherbal\.com$/i"; classtype:trojan-activity; sid:4081151; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain slimidealherbal.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"slimidealherbal.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])slimidealherbal\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081152; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain interactcenter.org"; dns.query; content:"interactcenter.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])interactcenter\.org$/i"; classtype:trojan-activity; sid:4081161; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain interactcenter.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"interactcenter.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])interactcenter\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081162; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain kaotikkustomz.com"; dns.query; content:"kaotikkustomz.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])kaotikkustomz\.com$/i"; classtype:trojan-activity; sid:4081171; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain kaotikkustomz.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kaotikkustomz.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kaotikkustomz\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081172; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain architecturalfiberglass.org"; dns.query; content:"architecturalfiberglass.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])architecturalfiberglass\.org$/i"; classtype:trojan-activity; sid:4081181; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain architecturalfiberglass.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"architecturalfiberglass.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])architecturalfiberglass\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081182; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain conasmanagement.de"; dns.query; content:"conasmanagement.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])conasmanagement\.de$/i"; classtype:trojan-activity; sid:4081191; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain conasmanagement.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"conasmanagement.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])conasmanagement\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081192; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname forestlakeuca.org.au"; dns.query; content:"forestlakeuca.org.au"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])forestlakeuca\.org\.au$/i"; classtype:trojan-activity; sid:4081201; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname forestlakeuca.org.au"; flow:to_server,established; http.header; content: "Host|3a| forestlakeuca.org.au"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])forestlakeuca\.org\.au[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081202; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain kostenlose-webcams.com"; dns.query; content:"kostenlose-webcams.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])kostenlose\-webcams\.com$/i"; classtype:trojan-activity; sid:4081211; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain kostenlose-webcams.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kostenlose-webcams.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kostenlose\-webcams\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081212; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain irishmachineryauctions.com"; dns.query; content:"irishmachineryauctions.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])irishmachineryauctions\.com$/i"; classtype:trojan-activity; sid:4081221; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain irishmachineryauctions.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"irishmachineryauctions.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])irishmachineryauctions\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081222; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain schoellhammer.com"; dns.query; content:"schoellhammer.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])schoellhammer\.com$/i"; classtype:trojan-activity; sid:4081231; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain schoellhammer.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"schoellhammer.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])schoellhammer\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081232; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain opatrovanie-ako.sk"; dns.query; content:"opatrovanie-ako.sk"; nocase; pcre: "/(^|[^A-Za-z0-9-])opatrovanie\-ako\.sk$/i"; classtype:trojan-activity; sid:4081241; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain opatrovanie-ako.sk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"opatrovanie-ako.sk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])opatrovanie\-ako\.sk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081242; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain shiftinspiration.com"; dns.query; content:"shiftinspiration.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])shiftinspiration\.com$/i"; classtype:trojan-activity; sid:4081251; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain shiftinspiration.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"shiftinspiration.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])shiftinspiration\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081252; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain naturavetal.hr"; dns.query; content:"naturavetal.hr"; nocase; pcre: "/(^|[^A-Za-z0-9-])naturavetal\.hr$/i"; classtype:trojan-activity; sid:4081261; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain naturavetal.hr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"naturavetal.hr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])naturavetal\.hr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081262; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname ncid.bc.ca"; dns.query; content:"ncid.bc.ca"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ncid\.bc\.ca$/i"; classtype:trojan-activity; sid:4081271; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname ncid.bc.ca"; flow:to_server,established; http.header; content: "Host|3a| ncid.bc.ca"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ncid\.bc\.ca[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081272; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain symphonyenvironmental.com"; dns.query; content:"symphonyenvironmental.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])symphonyenvironmental\.com$/i"; classtype:trojan-activity; sid:4081281; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain symphonyenvironmental.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"symphonyenvironmental.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])symphonyenvironmental\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081282; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain oslomf.no"; dns.query; content:"oslomf.no"; nocase; pcre: "/(^|[^A-Za-z0-9-])oslomf\.no$/i"; classtype:trojan-activity; sid:4081291; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain oslomf.no"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"oslomf.no"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])oslomf\.no[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081292; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname victoriousfestival.co.uk"; dns.query; content:"victoriousfestival.co.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])victoriousfestival\.co\.uk$/i"; classtype:trojan-activity; sid:4081301; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname victoriousfestival.co.uk"; flow:to_server,established; http.header; content: "Host|3a| victoriousfestival.co.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])victoriousfestival\.co\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081302; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain saka.gr"; dns.query; content:"saka.gr"; nocase; pcre: "/(^|[^A-Za-z0-9-])saka\.gr$/i"; classtype:trojan-activity; sid:4081311; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain saka.gr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"saka.gr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])saka\.gr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081312; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain smithmediastrategies.com"; dns.query; content:"smithmediastrategies.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])smithmediastrategies\.com$/i"; classtype:trojan-activity; sid:4081321; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain smithmediastrategies.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"smithmediastrategies.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])smithmediastrategies\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081322; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain finediningweek.pl"; dns.query; content:"finediningweek.pl"; nocase; pcre: "/(^|[^A-Za-z0-9-])finediningweek\.pl$/i"; classtype:trojan-activity; sid:4081331; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain finediningweek.pl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"finediningweek.pl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])finediningweek\.pl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081332; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain maxadams.london"; dns.query; content:"maxadams.london"; nocase; pcre: "/(^|[^A-Za-z0-9-])maxadams\.london$/i"; classtype:trojan-activity; sid:4081341; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain maxadams.london"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"maxadams.london"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])maxadams\.london[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081342; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mdk-mediadesign.de"; dns.query; content:"mdk-mediadesign.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])mdk\-mediadesign\.de$/i"; classtype:trojan-activity; sid:4081351; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mdk-mediadesign.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mdk-mediadesign.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mdk\-mediadesign\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081352; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain digi-talents.com"; dns.query; content:"digi-talents.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])digi\-talents\.com$/i"; classtype:trojan-activity; sid:4081361; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain digi-talents.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"digi-talents.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])digi\-talents\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081362; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain geisterradler.de"; dns.query; content:"geisterradler.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])geisterradler\.de$/i"; classtype:trojan-activity; sid:4081371; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain geisterradler.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"geisterradler.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])geisterradler\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081372; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain spargel-kochen.de"; dns.query; content:"spargel-kochen.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])spargel\-kochen\.de$/i"; classtype:trojan-activity; sid:4081381; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain spargel-kochen.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"spargel-kochen.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])spargel\-kochen\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081382; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain kampotpepper.gives"; dns.query; content:"kampotpepper.gives"; nocase; pcre: "/(^|[^A-Za-z0-9-])kampotpepper\.gives$/i"; classtype:trojan-activity; sid:4081391; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain kampotpepper.gives"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kampotpepper.gives"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kampotpepper\.gives[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081392; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname kidbucketlist.com.au"; dns.query; content:"kidbucketlist.com.au"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])kidbucketlist\.com\.au$/i"; classtype:trojan-activity; sid:4081401; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname kidbucketlist.com.au"; flow:to_server,established; http.header; content: "Host|3a| kidbucketlist.com.au"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])kidbucketlist\.com\.au[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081402; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain schutting-info.nl"; dns.query; content:"schutting-info.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])schutting\-info\.nl$/i"; classtype:trojan-activity; sid:4081411; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain schutting-info.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"schutting-info.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])schutting\-info\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081412; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain iphoneszervizbudapest.hu"; dns.query; content:"iphoneszervizbudapest.hu"; nocase; pcre: "/(^|[^A-Za-z0-9-])iphoneszervizbudapest\.hu$/i"; classtype:trojan-activity; sid:4081421; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain iphoneszervizbudapest.hu"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"iphoneszervizbudapest.hu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])iphoneszervizbudapest\.hu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081422; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mindpackstudios.com"; dns.query; content:"mindpackstudios.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mindpackstudios\.com$/i"; classtype:trojan-activity; sid:4081431; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mindpackstudios.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mindpackstudios.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mindpackstudios\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081432; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain villa-marrakesch.de"; dns.query; content:"villa-marrakesch.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])villa\-marrakesch\.de$/i"; classtype:trojan-activity; sid:4081441; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain villa-marrakesch.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"villa-marrakesch.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])villa\-marrakesch\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081442; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain slimani.net"; dns.query; content:"slimani.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])slimani\.net$/i"; classtype:trojan-activity; sid:4081451; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain slimani.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"slimani.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])slimani\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081452; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain trystana.com"; dns.query; content:"trystana.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])trystana\.com$/i"; classtype:trojan-activity; sid:4081461; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain trystana.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"trystana.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])trystana\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081462; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain evangelische-pfarrgemeinde-tuniberg.de"; dns.query; content:"evangelische-pfarrgemeinde-tuniberg.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])evangelische\-pfarrgemeinde\-tuniberg\.de$/i"; classtype:trojan-activity; sid:4081471; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain evangelische-pfarrgemeinde-tuniberg.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"evangelische-pfarrgemeinde-tuniberg.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])evangelische\-pfarrgemeinde\-tuniberg\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081472; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain worldhealthbasicinfo.com"; dns.query; content:"worldhealthbasicinfo.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])worldhealthbasicinfo\.com$/i"; classtype:trojan-activity; sid:4081481; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain worldhealthbasicinfo.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"worldhealthbasicinfo.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])worldhealthbasicinfo\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081482; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain teresianmedia.org"; dns.query; content:"teresianmedia.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])teresianmedia\.org$/i"; classtype:trojan-activity; sid:4081491; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain teresianmedia.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"teresianmedia.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])teresianmedia\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081492; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname ouryoungminds.wordpress.com"; dns.query; content:"ouryoungminds.wordpress.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ouryoungminds\.wordpress\.com$/i"; classtype:trojan-activity; sid:4081501; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname ouryoungminds.wordpress.com"; flow:to_server,established; http.header; content: "Host|3a| ouryoungminds.wordpress.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ouryoungminds\.wordpress\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081502; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ncuccr.org"; dns.query; content:"ncuccr.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])ncuccr\.org$/i"; classtype:trojan-activity; sid:4081511; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ncuccr.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ncuccr.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ncuccr\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081512; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain lykkeliv.net"; dns.query; content:"lykkeliv.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])lykkeliv\.net$/i"; classtype:trojan-activity; sid:4081521; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain lykkeliv.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lykkeliv.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lykkeliv\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081522; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain krcove-zily.eu"; dns.query; content:"krcove-zily.eu"; nocase; pcre: "/(^|[^A-Za-z0-9-])krcove\-zily\.eu$/i"; classtype:trojan-activity; sid:4081531; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain krcove-zily.eu"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"krcove-zily.eu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])krcove\-zily\.eu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081532; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname smhydro.com.pl"; dns.query; content:"smhydro.com.pl"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])smhydro\.com\.pl$/i"; classtype:trojan-activity; sid:4081541; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname smhydro.com.pl"; flow:to_server,established; http.header; content: "Host|3a| smhydro.com.pl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])smhydro\.com\.pl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081542; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname easytrans.com.au"; dns.query; content:"easytrans.com.au"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])easytrans\.com\.au$/i"; classtype:trojan-activity; sid:4081551; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname easytrans.com.au"; flow:to_server,established; http.header; content: "Host|3a| easytrans.com.au"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])easytrans\.com\.au[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081552; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain werkkring.nl"; dns.query; content:"werkkring.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])werkkring\.nl$/i"; classtype:trojan-activity; sid:4081561; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain werkkring.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"werkkring.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])werkkring\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081562; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname smalltownideamill.wordpress.com"; dns.query; content:"smalltownideamill.wordpress.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])smalltownideamill\.wordpress\.com$/i"; classtype:trojan-activity; sid:4081571; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname smalltownideamill.wordpress.com"; flow:to_server,established; http.header; content: "Host|3a| smalltownideamill.wordpress.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])smalltownideamill\.wordpress\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081572; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain sabel-bf.com"; dns.query; content:"sabel-bf.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sabel\-bf\.com$/i"; classtype:trojan-activity; sid:4081581; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain sabel-bf.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sabel-bf.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sabel\-bf\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081582; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain refluxreducer.com"; dns.query; content:"refluxreducer.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])refluxreducer\.com$/i"; classtype:trojan-activity; sid:4081591; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain refluxreducer.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"refluxreducer.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])refluxreducer\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081592; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain kalkulator-oszczednosci.pl"; dns.query; content:"kalkulator-oszczednosci.pl"; nocase; pcre: "/(^|[^A-Za-z0-9-])kalkulator\-oszczednosci\.pl$/i"; classtype:trojan-activity; sid:4081601; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain kalkulator-oszczednosci.pl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kalkulator-oszczednosci.pl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kalkulator\-oszczednosci\.pl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081602; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain rieed.de"; dns.query; content:"rieed.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])rieed\.de$/i"; classtype:trojan-activity; sid:4081611; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain rieed.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"rieed.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])rieed\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081612; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain dupontsellshomes.com"; dns.query; content:"dupontsellshomes.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])dupontsellshomes\.com$/i"; classtype:trojan-activity; sid:4081621; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain dupontsellshomes.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dupontsellshomes.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dupontsellshomes\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081622; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain groupe-frayssinet.fr"; dns.query; content:"groupe-frayssinet.fr"; nocase; pcre: "/(^|[^A-Za-z0-9-])groupe\-frayssinet\.fr$/i"; classtype:trojan-activity; sid:4081631; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain groupe-frayssinet.fr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"groupe-frayssinet.fr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])groupe\-frayssinet\.fr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081632; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain tarotdeseidel.com"; dns.query; content:"tarotdeseidel.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])tarotdeseidel\.com$/i"; classtype:trojan-activity; sid:4081641; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain tarotdeseidel.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tarotdeseidel.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tarotdeseidel\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081642; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain cursosgratuitosnainternet.com"; dns.query; content:"cursosgratuitosnainternet.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])cursosgratuitosnainternet\.com$/i"; classtype:trojan-activity; sid:4081651; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain cursosgratuitosnainternet.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cursosgratuitosnainternet.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cursosgratuitosnainternet\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081652; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain spinheal.ru"; dns.query; content:"spinheal.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])spinheal\.ru$/i"; classtype:trojan-activity; sid:4081661; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain spinheal.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"spinheal.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])spinheal\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081662; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain roadwarrior.app"; dns.query; content:"roadwarrior.app"; nocase; pcre: "/(^|[^A-Za-z0-9-])roadwarrior\.app$/i"; classtype:trojan-activity; sid:4081671; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain roadwarrior.app"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"roadwarrior.app"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])roadwarrior\.app[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081672; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain basisschooldezonnewijzer.nl"; dns.query; content:"basisschooldezonnewijzer.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])basisschooldezonnewijzer\.nl$/i"; classtype:trojan-activity; sid:4081681; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain basisschooldezonnewijzer.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"basisschooldezonnewijzer.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])basisschooldezonnewijzer\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081682; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain tampaallen.com"; dns.query; content:"tampaallen.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])tampaallen\.com$/i"; classtype:trojan-activity; sid:4081691; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain tampaallen.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tampaallen.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tampaallen\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081692; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname croftprecision.co.uk"; dns.query; content:"croftprecision.co.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])croftprecision\.co\.uk$/i"; classtype:trojan-activity; sid:4081701; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname croftprecision.co.uk"; flow:to_server,established; http.header; content: "Host|3a| croftprecision.co.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])croftprecision\.co\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081702; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain platformier.com"; dns.query; content:"platformier.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])platformier\.com$/i"; classtype:trojan-activity; sid:4081711; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain platformier.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"platformier.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])platformier\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081712; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain zenderthelender.com"; dns.query; content:"zenderthelender.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])zenderthelender\.com$/i"; classtype:trojan-activity; sid:4081721; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain zenderthelender.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"zenderthelender.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])zenderthelender\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081722; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain kingfamily.construction"; dns.query; content:"kingfamily.construction"; nocase; pcre: "/(^|[^A-Za-z0-9-])kingfamily\.construction$/i"; classtype:trojan-activity; sid:4081731; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain kingfamily.construction"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kingfamily.construction"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kingfamily\.construction[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081732; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain noixdecocom.fr"; dns.query; content:"noixdecocom.fr"; nocase; pcre: "/(^|[^A-Za-z0-9-])noixdecocom\.fr$/i"; classtype:trojan-activity; sid:4081741; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain noixdecocom.fr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"noixdecocom.fr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])noixdecocom\.fr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081742; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain pierrehale.com"; dns.query; content:"pierrehale.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pierrehale\.com$/i"; classtype:trojan-activity; sid:4081761; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain pierrehale.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pierrehale.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pierrehale\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081762; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain leoben.at"; dns.query; content:"leoben.at"; nocase; pcre: "/(^|[^A-Za-z0-9-])leoben\.at$/i"; classtype:trojan-activity; sid:4081771; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain leoben.at"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"leoben.at"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])leoben\.at[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081772; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain latribuessentielle.com"; dns.query; content:"latribuessentielle.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])latribuessentielle\.com$/i"; classtype:trojan-activity; sid:4081781; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain latribuessentielle.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"latribuessentielle.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])latribuessentielle\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081782; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain d1franchise.com"; dns.query; content:"d1franchise.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])d1franchise\.com$/i"; classtype:trojan-activity; sid:4081791; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain d1franchise.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"d1franchise.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])d1franchise\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081792; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain bricotienda.com"; dns.query; content:"bricotienda.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bricotienda\.com$/i"; classtype:trojan-activity; sid:4081801; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain bricotienda.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bricotienda.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bricotienda\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081802; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain marchand-sloboda.com"; dns.query; content:"marchand-sloboda.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])marchand\-sloboda\.com$/i"; classtype:trojan-activity; sid:4081811; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain marchand-sloboda.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"marchand-sloboda.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])marchand\-sloboda\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081812; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain bbsmobler.se"; dns.query; content:"bbsmobler.se"; nocase; pcre: "/(^|[^A-Za-z0-9-])bbsmobler\.se$/i"; classtype:trojan-activity; sid:4081821; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain bbsmobler.se"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bbsmobler.se"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bbsmobler\.se[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081822; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain foryourhealth.live"; dns.query; content:"foryourhealth.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])foryourhealth\.live$/i"; classtype:trojan-activity; sid:4081831; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain foryourhealth.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"foryourhealth.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])foryourhealth\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081832; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain tips.technology"; dns.query; content:"tips.technology"; nocase; pcre: "/(^|[^A-Za-z0-9-])tips\.technology$/i"; classtype:trojan-activity; sid:4081841; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain tips.technology"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tips.technology"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tips\.technology[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081842; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain stacyloeb.com"; dns.query; content:"stacyloeb.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])stacyloeb\.com$/i"; classtype:trojan-activity; sid:4081851; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain stacyloeb.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"stacyloeb.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])stacyloeb\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081852; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain coding-marking.com"; dns.query; content:"coding-marking.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])coding\-marking\.com$/i"; classtype:trojan-activity; sid:4081861; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain coding-marking.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"coding-marking.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])coding\-marking\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081862; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain gasolspecialisten.se"; dns.query; content:"gasolspecialisten.se"; nocase; pcre: "/(^|[^A-Za-z0-9-])gasolspecialisten\.se$/i"; classtype:trojan-activity; sid:4081871; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain gasolspecialisten.se"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gasolspecialisten.se"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gasolspecialisten\.se[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081872; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain dlc.berlin"; dns.query; content:"dlc.berlin"; nocase; pcre: "/(^|[^A-Za-z0-9-])dlc\.berlin$/i"; classtype:trojan-activity; sid:4081881; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain dlc.berlin"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dlc.berlin"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dlc\.berlin[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081882; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain presseclub-magdeburg.de"; dns.query; content:"presseclub-magdeburg.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])presseclub\-magdeburg\.de$/i"; classtype:trojan-activity; sid:4081891; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain presseclub-magdeburg.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"presseclub-magdeburg.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])presseclub\-magdeburg\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081892; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain hebkft.hu"; dns.query; content:"hebkft.hu"; nocase; pcre: "/(^|[^A-Za-z0-9-])hebkft\.hu$/i"; classtype:trojan-activity; sid:4081901; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain hebkft.hu"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hebkft.hu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hebkft\.hu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081902; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain geoffreymeuli.com"; dns.query; content:"geoffreymeuli.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])geoffreymeuli\.com$/i"; classtype:trojan-activity; sid:4081911; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain geoffreymeuli.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"geoffreymeuli.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])geoffreymeuli\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081912; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain filmstreamingvfcomplet.be"; dns.query; content:"filmstreamingvfcomplet.be"; nocase; pcre: "/(^|[^A-Za-z0-9-])filmstreamingvfcomplet\.be$/i"; classtype:trojan-activity; sid:4081921; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain filmstreamingvfcomplet.be"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"filmstreamingvfcomplet.be"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])filmstreamingvfcomplet\.be[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081922; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain dubscollective.com"; dns.query; content:"dubscollective.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])dubscollective\.com$/i"; classtype:trojan-activity; sid:4081931; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain dubscollective.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dubscollective.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dubscollective\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081932; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain carriagehousesalonvt.com"; dns.query; content:"carriagehousesalonvt.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])carriagehousesalonvt\.com$/i"; classtype:trojan-activity; sid:4081941; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain carriagehousesalonvt.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"carriagehousesalonvt.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])carriagehousesalonvt\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081942; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain love30-chanko.com"; dns.query; content:"love30-chanko.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])love30\-chanko\.com$/i"; classtype:trojan-activity; sid:4081951; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain love30-chanko.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"love30-chanko.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])love30\-chanko\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081952; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain rerekatu.com"; dns.query; content:"rerekatu.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])rerekatu\.com$/i"; classtype:trojan-activity; sid:4081961; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain rerekatu.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"rerekatu.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])rerekatu\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081962; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain milanonotai.it"; dns.query; content:"milanonotai.it"; nocase; pcre: "/(^|[^A-Za-z0-9-])milanonotai\.it$/i"; classtype:trojan-activity; sid:4081971; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain milanonotai.it"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"milanonotai.it"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])milanonotai\.it[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081972; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain bigasgrup.com"; dns.query; content:"bigasgrup.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bigasgrup\.com$/i"; classtype:trojan-activity; sid:4081981; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain bigasgrup.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bigasgrup.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bigasgrup\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081982; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain raschlosser.de"; dns.query; content:"raschlosser.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])raschlosser\.de$/i"; classtype:trojan-activity; sid:4081991; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain raschlosser.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"raschlosser.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])raschlosser\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4081992; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain pelorus.group"; dns.query; content:"pelorus.group"; nocase; pcre: "/(^|[^A-Za-z0-9-])pelorus\.group$/i"; classtype:trojan-activity; sid:4082001; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain pelorus.group"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pelorus.group"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pelorus\.group[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082002; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain abuelos.com"; dns.query; content:"abuelos.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])abuelos\.com$/i"; classtype:trojan-activity; sid:4082011; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain abuelos.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"abuelos.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])abuelos\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082012; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain winrace.no"; dns.query; content:"winrace.no"; nocase; pcre: "/(^|[^A-Za-z0-9-])winrace\.no$/i"; classtype:trojan-activity; sid:4082021; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain winrace.no"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"winrace.no"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])winrace\.no[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082022; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ino-professional.ru"; dns.query; content:"ino-professional.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])ino\-professional\.ru$/i"; classtype:trojan-activity; sid:4082031; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ino-professional.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ino-professional.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ino\-professional\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082032; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain commonground-stories.com"; dns.query; content:"commonground-stories.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])commonground\-stories\.com$/i"; classtype:trojan-activity; sid:4082041; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain commonground-stories.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"commonground-stories.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])commonground\-stories\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082042; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain xn--fn-kka.no"; dns.query; content:"xn--fn-kka.no"; nocase; pcre: "/(^|[^A-Za-z0-9-])xn\-\-fn\-kka\.no$/i"; classtype:trojan-activity; sid:4082051; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain xn--fn-kka.no"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"xn--fn-kka.no"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])xn\-\-fn\-kka\.no[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082052; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain fensterbau-ziegler.de"; dns.query; content:"fensterbau-ziegler.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])fensterbau\-ziegler\.de$/i"; classtype:trojan-activity; sid:4082061; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain fensterbau-ziegler.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fensterbau-ziegler.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fensterbau\-ziegler\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082062; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain girlillamarketing.com"; dns.query; content:"girlillamarketing.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])girlillamarketing\.com$/i"; classtype:trojan-activity; sid:4082071; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain girlillamarketing.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"girlillamarketing.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])girlillamarketing\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082072; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain centrospgolega.com"; dns.query; content:"centrospgolega.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])centrospgolega\.com$/i"; classtype:trojan-activity; sid:4082081; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain centrospgolega.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"centrospgolega.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])centrospgolega\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082082; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain vitalyscenter.es"; dns.query; content:"vitalyscenter.es"; nocase; pcre: "/(^|[^A-Za-z0-9-])vitalyscenter\.es$/i"; classtype:trojan-activity; sid:4082091; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain vitalyscenter.es"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vitalyscenter.es"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vitalyscenter\.es[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082092; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain vdberg-autoimport.nl"; dns.query; content:"vdberg-autoimport.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])vdberg\-autoimport\.nl$/i"; classtype:trojan-activity; sid:4082101; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain vdberg-autoimport.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vdberg-autoimport.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vdberg\-autoimport\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082102; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ianaswanson.com"; dns.query; content:"ianaswanson.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ianaswanson\.com$/i"; classtype:trojan-activity; sid:4082111; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ianaswanson.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ianaswanson.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ianaswanson\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082112; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain norovirus-ratgeber.de"; dns.query; content:"norovirus-ratgeber.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])norovirus\-ratgeber\.de$/i"; classtype:trojan-activity; sid:4082121; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain norovirus-ratgeber.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"norovirus-ratgeber.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])norovirus\-ratgeber\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082122; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain goodgirlrecovery.com"; dns.query; content:"goodgirlrecovery.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])goodgirlrecovery\.com$/i"; classtype:trojan-activity; sid:4082131; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain goodgirlrecovery.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"goodgirlrecovery.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])goodgirlrecovery\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082132; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain plotlinecreative.com"; dns.query; content:"plotlinecreative.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])plotlinecreative\.com$/i"; classtype:trojan-activity; sid:4082141; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain plotlinecreative.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"plotlinecreative.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])plotlinecreative\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082142; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain id-et-d.fr"; dns.query; content:"id-et-d.fr"; nocase; pcre: "/(^|[^A-Za-z0-9-])id\-et\-d\.fr$/i"; classtype:trojan-activity; sid:4082151; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain id-et-d.fr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"id-et-d.fr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])id\-et\-d\.fr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082152; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain blossombeyond50.com"; dns.query; content:"blossombeyond50.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])blossombeyond50\.com$/i"; classtype:trojan-activity; sid:4082161; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain blossombeyond50.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"blossombeyond50.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])blossombeyond50\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082162; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain notsilentmd.org"; dns.query; content:"notsilentmd.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])notsilentmd\.org$/i"; classtype:trojan-activity; sid:4082171; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain notsilentmd.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"notsilentmd.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])notsilentmd\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082172; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain pmcimpact.com"; dns.query; content:"pmcimpact.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pmcimpact\.com$/i"; classtype:trojan-activity; sid:4082181; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain pmcimpact.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pmcimpact.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pmcimpact\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082182; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain collaborativeclassroom.org"; dns.query; content:"collaborativeclassroom.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])collaborativeclassroom\.org$/i"; classtype:trojan-activity; sid:4082191; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain collaborativeclassroom.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"collaborativeclassroom.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])collaborativeclassroom\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082192; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain noskierrenteria.com"; dns.query; content:"noskierrenteria.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])noskierrenteria\.com$/i"; classtype:trojan-activity; sid:4082201; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain noskierrenteria.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"noskierrenteria.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])noskierrenteria\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082202; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain urist-bogatyr.ru"; dns.query; content:"urist-bogatyr.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])urist\-bogatyr\.ru$/i"; classtype:trojan-activity; sid:4082211; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain urist-bogatyr.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"urist-bogatyr.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])urist\-bogatyr\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082212; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain dontpassthepepper.com"; dns.query; content:"dontpassthepepper.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])dontpassthepepper\.com$/i"; classtype:trojan-activity; sid:4082221; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain dontpassthepepper.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dontpassthepepper.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dontpassthepepper\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082222; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain aprepol.com"; dns.query; content:"aprepol.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])aprepol\.com$/i"; classtype:trojan-activity; sid:4082231; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain aprepol.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aprepol.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aprepol\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082232; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mooreslawngarden.com"; dns.query; content:"mooreslawngarden.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mooreslawngarden\.com$/i"; classtype:trojan-activity; sid:4082241; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mooreslawngarden.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mooreslawngarden.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mooreslawngarden\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082242; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain plantag.de"; dns.query; content:"plantag.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])plantag\.de$/i"; classtype:trojan-activity; sid:4082251; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain plantag.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"plantag.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])plantag\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082252; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain tux-espacios.com"; dns.query; content:"tux-espacios.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])tux\-espacios\.com$/i"; classtype:trojan-activity; sid:4082261; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain tux-espacios.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tux-espacios.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tux\-espacios\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082262; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain evergreen-fishing.com"; dns.query; content:"evergreen-fishing.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])evergreen\-fishing\.com$/i"; classtype:trojan-activity; sid:4082271; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain evergreen-fishing.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"evergreen-fishing.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])evergreen\-fishing\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082272; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain spectrmash.ru"; dns.query; content:"spectrmash.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])spectrmash\.ru$/i"; classtype:trojan-activity; sid:4082281; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain spectrmash.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"spectrmash.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])spectrmash\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082282; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain biapi-coaching.fr"; dns.query; content:"biapi-coaching.fr"; nocase; pcre: "/(^|[^A-Za-z0-9-])biapi\-coaching\.fr$/i"; classtype:trojan-activity; sid:4082291; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain biapi-coaching.fr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"biapi-coaching.fr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])biapi\-coaching\.fr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082292; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain kosterra.com"; dns.query; content:"kosterra.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])kosterra\.com$/i"; classtype:trojan-activity; sid:4082301; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain kosterra.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kosterra.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kosterra\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082302; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain tanzschule-kieber.de"; dns.query; content:"tanzschule-kieber.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])tanzschule\-kieber\.de$/i"; classtype:trojan-activity; sid:4082311; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain tanzschule-kieber.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tanzschule-kieber.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tanzschule\-kieber\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082312; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain beautychance.se"; dns.query; content:"beautychance.se"; nocase; pcre: "/(^|[^A-Za-z0-9-])beautychance\.se$/i"; classtype:trojan-activity; sid:4082321; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain beautychance.se"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"beautychance.se"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])beautychance\.se[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082322; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mymoneyforex.com"; dns.query; content:"mymoneyforex.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mymoneyforex\.com$/i"; classtype:trojan-activity; sid:4082331; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mymoneyforex.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mymoneyforex.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mymoneyforex\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082332; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain saarland-thermen-resort.com"; dns.query; content:"saarland-thermen-resort.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])saarland\-thermen\-resort\.com$/i"; classtype:trojan-activity; sid:4082341; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain saarland-thermen-resort.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"saarland-thermen-resort.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])saarland\-thermen\-resort\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082342; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname d2marketing.co.uk"; dns.query; content:"d2marketing.co.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])d2marketing\.co\.uk$/i"; classtype:trojan-activity; sid:4082351; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname d2marketing.co.uk"; flow:to_server,established; http.header; content: "Host|3a| d2marketing.co.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])d2marketing\.co\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082352; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain lionware.de"; dns.query; content:"lionware.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])lionware\.de$/i"; classtype:trojan-activity; sid:4082361; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain lionware.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lionware.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lionware\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082362; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain danholzmann.com"; dns.query; content:"danholzmann.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])danholzmann\.com$/i"; classtype:trojan-activity; sid:4082371; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain danholzmann.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"danholzmann.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])danholzmann\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082372; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain stoeferlehalle.de"; dns.query; content:"stoeferlehalle.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])stoeferlehalle\.de$/i"; classtype:trojan-activity; sid:4082381; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain stoeferlehalle.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"stoeferlehalle.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])stoeferlehalle\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082382; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain almosthomedogrescue.dog"; dns.query; content:"almosthomedogrescue.dog"; nocase; pcre: "/(^|[^A-Za-z0-9-])almosthomedogrescue\.dog$/i"; classtype:trojan-activity; sid:4082391; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain almosthomedogrescue.dog"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"almosthomedogrescue.dog"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])almosthomedogrescue\.dog[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082392; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain makeflowers.ru"; dns.query; content:"makeflowers.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])makeflowers\.ru$/i"; classtype:trojan-activity; sid:4082401; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain makeflowers.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"makeflowers.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])makeflowers\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082402; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain celeclub.org"; dns.query; content:"celeclub.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])celeclub\.org$/i"; classtype:trojan-activity; sid:4082411; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain celeclub.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"celeclub.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])celeclub\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082412; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname ausair.com.au"; dns.query; content:"ausair.com.au"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ausair\.com\.au$/i"; classtype:trojan-activity; sid:4082421; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname ausair.com.au"; flow:to_server,established; http.header; content: "Host|3a| ausair.com.au"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ausair\.com\.au[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082422; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain handi-jack-llc.com"; dns.query; content:"handi-jack-llc.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])handi\-jack\-llc\.com$/i"; classtype:trojan-activity; sid:4082431; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain handi-jack-llc.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"handi-jack-llc.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])handi\-jack\-llc\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082432; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain actecfoundation.org"; dns.query; content:"actecfoundation.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])actecfoundation\.org$/i"; classtype:trojan-activity; sid:4082441; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain actecfoundation.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"actecfoundation.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])actecfoundation\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082442; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain carolinepenn.com"; dns.query; content:"carolinepenn.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])carolinepenn\.com$/i"; classtype:trojan-activity; sid:4082451; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain carolinepenn.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"carolinepenn.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])carolinepenn\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082452; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain seproc.hn"; dns.query; content:"seproc.hn"; nocase; pcre: "/(^|[^A-Za-z0-9-])seproc\.hn$/i"; classtype:trojan-activity; sid:4082461; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain seproc.hn"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"seproc.hn"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])seproc\.hn[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082462; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain citymax-cr.com"; dns.query; content:"citymax-cr.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])citymax\-cr\.com$/i"; classtype:trojan-activity; sid:4082471; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain citymax-cr.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"citymax-cr.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])citymax\-cr\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082472; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain employeesurveys.com"; dns.query; content:"employeesurveys.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])employeesurveys\.com$/i"; classtype:trojan-activity; sid:4082481; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain employeesurveys.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"employeesurveys.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])employeesurveys\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082482; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain nmiec.com"; dns.query; content:"nmiec.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])nmiec\.com$/i"; classtype:trojan-activity; sid:4082491; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain nmiec.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nmiec.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nmiec\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082492; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain campusoutreach.org"; dns.query; content:"campusoutreach.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])campusoutreach\.org$/i"; classtype:trojan-activity; sid:4082501; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain campusoutreach.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"campusoutreach.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])campusoutreach\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082502; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain calabasasdigest.com"; dns.query; content:"calabasasdigest.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])calabasasdigest\.com$/i"; classtype:trojan-activity; sid:4082511; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain calabasasdigest.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"calabasasdigest.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])calabasasdigest\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082512; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain allamatberedare.se"; dns.query; content:"allamatberedare.se"; nocase; pcre: "/(^|[^A-Za-z0-9-])allamatberedare\.se$/i"; classtype:trojan-activity; sid:4082521; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain allamatberedare.se"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"allamatberedare.se"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])allamatberedare\.se[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082522; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain aunexis.ch"; dns.query; content:"aunexis.ch"; nocase; pcre: "/(^|[^A-Za-z0-9-])aunexis\.ch$/i"; classtype:trojan-activity; sid:4082531; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain aunexis.ch"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aunexis.ch"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aunexis\.ch[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082532; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain nachhilfe-unterricht.com"; dns.query; content:"nachhilfe-unterricht.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])nachhilfe\-unterricht\.com$/i"; classtype:trojan-activity; sid:4082541; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain nachhilfe-unterricht.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nachhilfe-unterricht.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nachhilfe\-unterricht\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082542; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain praxis-foerderdiagnostik.de"; dns.query; content:"praxis-foerderdiagnostik.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])praxis\-foerderdiagnostik\.de$/i"; classtype:trojan-activity; sid:4082551; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain praxis-foerderdiagnostik.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"praxis-foerderdiagnostik.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])praxis\-foerderdiagnostik\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082552; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain botanicinnovations.com"; dns.query; content:"botanicinnovations.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])botanicinnovations\.com$/i"; classtype:trojan-activity; sid:4082561; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain botanicinnovations.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"botanicinnovations.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])botanicinnovations\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082562; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain torgbodenbollnas.se"; dns.query; content:"torgbodenbollnas.se"; nocase; pcre: "/(^|[^A-Za-z0-9-])torgbodenbollnas\.se$/i"; classtype:trojan-activity; sid:4082571; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain torgbodenbollnas.se"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"torgbodenbollnas.se"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])torgbodenbollnas\.se[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082572; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain zonamovie21.net"; dns.query; content:"zonamovie21.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])zonamovie21\.net$/i"; classtype:trojan-activity; sid:4082581; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain zonamovie21.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"zonamovie21.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])zonamovie21\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082582; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain esope-formation.fr"; dns.query; content:"esope-formation.fr"; nocase; pcre: "/(^|[^A-Za-z0-9-])esope\-formation\.fr$/i"; classtype:trojan-activity; sid:4082591; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain esope-formation.fr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"esope-formation.fr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])esope\-formation\.fr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082592; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain manijaipur.com"; dns.query; content:"manijaipur.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])manijaipur\.com$/i"; classtype:trojan-activity; sid:4082601; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain manijaipur.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"manijaipur.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])manijaipur\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082602; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain nokesvilledentistry.com"; dns.query; content:"nokesvilledentistry.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])nokesvilledentistry\.com$/i"; classtype:trojan-activity; sid:4082611; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain nokesvilledentistry.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nokesvilledentistry.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nokesvilledentistry\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082612; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain executiveairllc.com"; dns.query; content:"executiveairllc.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])executiveairllc\.com$/i"; classtype:trojan-activity; sid:4082621; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain executiveairllc.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"executiveairllc.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])executiveairllc\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082622; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain allure-cosmetics.at"; dns.query; content:"allure-cosmetics.at"; nocase; pcre: "/(^|[^A-Za-z0-9-])allure\-cosmetics\.at$/i"; classtype:trojan-activity; sid:4082631; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain allure-cosmetics.at"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"allure-cosmetics.at"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])allure\-cosmetics\.at[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082632; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain gmto.fr"; dns.query; content:"gmto.fr"; nocase; pcre: "/(^|[^A-Za-z0-9-])gmto\.fr$/i"; classtype:trojan-activity; sid:4082641; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain gmto.fr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gmto.fr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gmto\.fr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082642; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname kadesignandbuild.co.uk"; dns.query; content:"kadesignandbuild.co.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])kadesignandbuild\.co\.uk$/i"; classtype:trojan-activity; sid:4082651; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname kadesignandbuild.co.uk"; flow:to_server,established; http.header; content: "Host|3a| kadesignandbuild.co.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])kadesignandbuild\.co\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082652; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mir-na-iznanku.com"; dns.query; content:"mir-na-iznanku.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mir\-na\-iznanku\.com$/i"; classtype:trojan-activity; sid:4082661; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mir-na-iznanku.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mir-na-iznanku.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mir\-na\-iznanku\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082662; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname pasivect.co.uk"; dns.query; content:"pasivect.co.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])pasivect\.co\.uk$/i"; classtype:trojan-activity; sid:4082671; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname pasivect.co.uk"; flow:to_server,established; http.header; content: "Host|3a| pasivect.co.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])pasivect\.co\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082672; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain dr-tremel-rednitzhembach.de"; dns.query; content:"dr-tremel-rednitzhembach.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])dr\-tremel\-rednitzhembach\.de$/i"; classtype:trojan-activity; sid:4082681; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain dr-tremel-rednitzhembach.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dr-tremel-rednitzhembach.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dr\-tremel\-rednitzhembach\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082682; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mediaplayertest.net"; dns.query; content:"mediaplayertest.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])mediaplayertest\.net$/i"; classtype:trojan-activity; sid:4082691; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mediaplayertest.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mediaplayertest.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mediaplayertest\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082692; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain pferdebiester.de"; dns.query; content:"pferdebiester.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])pferdebiester\.de$/i"; classtype:trojan-activity; sid:4082701; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain pferdebiester.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pferdebiester.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pferdebiester\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082702; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain analiticapublica.es"; dns.query; content:"analiticapublica.es"; nocase; pcre: "/(^|[^A-Za-z0-9-])analiticapublica\.es$/i"; classtype:trojan-activity; sid:4082711; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain analiticapublica.es"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"analiticapublica.es"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])analiticapublica\.es[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082712; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain hexcreatives.co"; dns.query; content:"hexcreatives.co"; nocase; pcre: "/(^|[^A-Za-z0-9-])hexcreatives\.co$/i"; classtype:trojan-activity; sid:4082721; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain hexcreatives.co"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hexcreatives.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hexcreatives\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082722; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain journeybacktolife.com"; dns.query; content:"journeybacktolife.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])journeybacktolife\.com$/i"; classtype:trojan-activity; sid:4082731; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain journeybacktolife.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"journeybacktolife.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])journeybacktolife\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082732; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain rhinosfootballacademy.com"; dns.query; content:"rhinosfootballacademy.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])rhinosfootballacademy\.com$/i"; classtype:trojan-activity; sid:4082741; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain rhinosfootballacademy.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"rhinosfootballacademy.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])rhinosfootballacademy\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082742; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain bouncingbonanza.com"; dns.query; content:"bouncingbonanza.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bouncingbonanza\.com$/i"; classtype:trojan-activity; sid:4082751; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain bouncingbonanza.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bouncingbonanza.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bouncingbonanza\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082752; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ecpmedia.vn"; dns.query; content:"ecpmedia.vn"; nocase; pcre: "/(^|[^A-Za-z0-9-])ecpmedia\.vn$/i"; classtype:trojan-activity; sid:4082761; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ecpmedia.vn"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ecpmedia.vn"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ecpmedia\.vn[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082762; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain elimchan.com"; dns.query; content:"elimchan.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])elimchan\.com$/i"; classtype:trojan-activity; sid:4082771; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain elimchan.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"elimchan.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])elimchan\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082772; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain sanyue119.com"; dns.query; content:"sanyue119.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sanyue119\.com$/i"; classtype:trojan-activity; sid:4082781; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain sanyue119.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sanyue119.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sanyue119\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082782; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain bafuncs.org"; dns.query; content:"bafuncs.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])bafuncs\.org$/i"; classtype:trojan-activity; sid:4082791; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain bafuncs.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bafuncs.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bafuncs\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082792; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain knowledgemuseumbd.com"; dns.query; content:"knowledgemuseumbd.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])knowledgemuseumbd\.com$/i"; classtype:trojan-activity; sid:4082801; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain knowledgemuseumbd.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"knowledgemuseumbd.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])knowledgemuseumbd\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082802; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain synlab.lt"; dns.query; content:"synlab.lt"; nocase; pcre: "/(^|[^A-Za-z0-9-])synlab\.lt$/i"; classtype:trojan-activity; sid:4082811; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain synlab.lt"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"synlab.lt"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])synlab\.lt[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082812; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain judithjansen.com"; dns.query; content:"judithjansen.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])judithjansen\.com$/i"; classtype:trojan-activity; sid:4082821; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain judithjansen.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"judithjansen.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])judithjansen\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082822; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain icpcnj.org"; dns.query; content:"icpcnj.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])icpcnj\.org$/i"; classtype:trojan-activity; sid:4082831; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain icpcnj.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"icpcnj.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])icpcnj\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082832; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain polychromelabs.com"; dns.query; content:"polychromelabs.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])polychromelabs\.com$/i"; classtype:trojan-activity; sid:4082841; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain polychromelabs.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"polychromelabs.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])polychromelabs\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082842; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain schoolofpassivewealth.com"; dns.query; content:"schoolofpassivewealth.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])schoolofpassivewealth\.com$/i"; classtype:trojan-activity; sid:4082851; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain schoolofpassivewealth.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"schoolofpassivewealth.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])schoolofpassivewealth\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082852; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain izzi360.com"; dns.query; content:"izzi360.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])izzi360\.com$/i"; classtype:trojan-activity; sid:4082861; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain izzi360.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"izzi360.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])izzi360\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082862; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain transportesycementoshidalgo.es"; dns.query; content:"transportesycementoshidalgo.es"; nocase; pcre: "/(^|[^A-Za-z0-9-])transportesycementoshidalgo\.es$/i"; classtype:trojan-activity; sid:4082871; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain transportesycementoshidalgo.es"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"transportesycementoshidalgo.es"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])transportesycementoshidalgo\.es[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082872; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname atozdistribution.co.uk"; dns.query; content:"atozdistribution.co.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])atozdistribution\.co\.uk$/i"; classtype:trojan-activity; sid:4082881; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname atozdistribution.co.uk"; flow:to_server,established; http.header; content: "Host|3a| atozdistribution.co.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])atozdistribution\.co\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082882; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain nancy-informatique.fr"; dns.query; content:"nancy-informatique.fr"; nocase; pcre: "/(^|[^A-Za-z0-9-])nancy\-informatique\.fr$/i"; classtype:trojan-activity; sid:4082891; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain nancy-informatique.fr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nancy-informatique.fr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nancy\-informatique\.fr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082892; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain bsaship.com"; dns.query; content:"bsaship.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bsaship\.com$/i"; classtype:trojan-activity; sid:4082901; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain bsaship.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bsaship.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bsaship\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082902; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain pivoineetc.fr"; dns.query; content:"pivoineetc.fr"; nocase; pcre: "/(^|[^A-Za-z0-9-])pivoineetc\.fr$/i"; classtype:trojan-activity; sid:4082911; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain pivoineetc.fr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pivoineetc.fr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pivoineetc\.fr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082912; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain healthyyworkout.com"; dns.query; content:"healthyyworkout.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])healthyyworkout\.com$/i"; classtype:trojan-activity; sid:4082921; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain healthyyworkout.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"healthyyworkout.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])healthyyworkout\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082922; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ziegler-praezisionsteile.de"; dns.query; content:"ziegler-praezisionsteile.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])ziegler\-praezisionsteile\.de$/i"; classtype:trojan-activity; sid:4082931; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ziegler-praezisionsteile.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ziegler-praezisionsteile.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ziegler\-praezisionsteile\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082932; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain theadventureedge.com"; dns.query; content:"theadventureedge.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])theadventureedge\.com$/i"; classtype:trojan-activity; sid:4082941; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain theadventureedge.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"theadventureedge.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])theadventureedge\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082942; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain polzine.net"; dns.query; content:"polzine.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])polzine\.net$/i"; classtype:trojan-activity; sid:4082951; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain polzine.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"polzine.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])polzine\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082952; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain art2gointerieurprojecten.nl"; dns.query; content:"art2gointerieurprojecten.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])art2gointerieurprojecten\.nl$/i"; classtype:trojan-activity; sid:4082961; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain art2gointerieurprojecten.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"art2gointerieurprojecten.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])art2gointerieurprojecten\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082962; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain tetinfo.in"; dns.query; content:"tetinfo.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])tetinfo\.in$/i"; classtype:trojan-activity; sid:4082971; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain tetinfo.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tetinfo.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tetinfo\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082972; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain herbayupro.com"; dns.query; content:"herbayupro.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])herbayupro\.com$/i"; classtype:trojan-activity; sid:4082981; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain herbayupro.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"herbayupro.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])herbayupro\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082982; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain petnest.ir"; dns.query; content:"petnest.ir"; nocase; pcre: "/(^|[^A-Za-z0-9-])petnest\.ir$/i"; classtype:trojan-activity; sid:4082991; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain petnest.ir"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"petnest.ir"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])petnest\.ir[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4082992; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain deko4you.at"; dns.query; content:"deko4you.at"; nocase; pcre: "/(^|[^A-Za-z0-9-])deko4you\.at$/i"; classtype:trojan-activity; sid:4083001; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain deko4you.at"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"deko4you.at"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])deko4you\.at[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083002; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain yourobgyn.net"; dns.query; content:"yourobgyn.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])yourobgyn\.net$/i"; classtype:trojan-activity; sid:4083011; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain yourobgyn.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"yourobgyn.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])yourobgyn\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083012; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ahouseforlease.com"; dns.query; content:"ahouseforlease.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ahouseforlease\.com$/i"; classtype:trojan-activity; sid:4083021; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ahouseforlease.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ahouseforlease.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ahouseforlease\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083022; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain shadebarandgrillorlando.com"; dns.query; content:"shadebarandgrillorlando.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])shadebarandgrillorlando\.com$/i"; classtype:trojan-activity; sid:4083031; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain shadebarandgrillorlando.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"shadebarandgrillorlando.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])shadebarandgrillorlando\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083032; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain apolomarcas.com"; dns.query; content:"apolomarcas.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])apolomarcas\.com$/i"; classtype:trojan-activity; sid:4083041; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain apolomarcas.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"apolomarcas.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])apolomarcas\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083042; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain pay4essays.net"; dns.query; content:"pay4essays.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])pay4essays\.net$/i"; classtype:trojan-activity; sid:4083051; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain pay4essays.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pay4essays.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pay4essays\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083052; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain thomasvicino.com"; dns.query; content:"thomasvicino.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])thomasvicino\.com$/i"; classtype:trojan-activity; sid:4083061; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain thomasvicino.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"thomasvicino.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])thomasvicino\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083062; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain pogypneu.sk"; dns.query; content:"pogypneu.sk"; nocase; pcre: "/(^|[^A-Za-z0-9-])pogypneu\.sk$/i"; classtype:trojan-activity; sid:4083071; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain pogypneu.sk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pogypneu.sk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pogypneu\.sk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083072; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain pasvenska.se"; dns.query; content:"pasvenska.se"; nocase; pcre: "/(^|[^A-Za-z0-9-])pasvenska\.se$/i"; classtype:trojan-activity; sid:4083081; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain pasvenska.se"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pasvenska.se"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pasvenska\.se[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083082; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain levdittliv.se"; dns.query; content:"levdittliv.se"; nocase; pcre: "/(^|[^A-Za-z0-9-])levdittliv\.se$/i"; classtype:trojan-activity; sid:4083091; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain levdittliv.se"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"levdittliv.se"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])levdittliv\.se[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083092; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain pomodori-pizzeria.de"; dns.query; content:"pomodori-pizzeria.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])pomodori\-pizzeria\.de$/i"; classtype:trojan-activity; sid:4083101; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain pomodori-pizzeria.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pomodori-pizzeria.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pomodori\-pizzeria\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083102; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain directwindowco.com"; dns.query; content:"directwindowco.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])directwindowco\.com$/i"; classtype:trojan-activity; sid:4083111; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain directwindowco.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"directwindowco.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])directwindowco\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083112; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain charlesreger.com"; dns.query; content:"charlesreger.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])charlesreger\.com$/i"; classtype:trojan-activity; sid:4083121; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain charlesreger.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"charlesreger.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])charlesreger\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083122; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain norpol-yachting.com"; dns.query; content:"norpol-yachting.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])norpol\-yachting\.com$/i"; classtype:trojan-activity; sid:4083131; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain norpol-yachting.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"norpol-yachting.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])norpol\-yachting\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083132; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain happyeasterimages.org"; dns.query; content:"happyeasterimages.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])happyeasterimages\.org$/i"; classtype:trojan-activity; sid:4083141; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain happyeasterimages.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"happyeasterimages.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])happyeasterimages\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083142; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain comarenterprises.com"; dns.query; content:"comarenterprises.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])comarenterprises\.com$/i"; classtype:trojan-activity; sid:4083151; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain comarenterprises.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"comarenterprises.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])comarenterprises\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083152; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ctrler.cn"; dns.query; content:"ctrler.cn"; nocase; pcre: "/(^|[^A-Za-z0-9-])ctrler\.cn$/i"; classtype:trojan-activity; sid:4083161; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ctrler.cn"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ctrler.cn"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ctrler\.cn[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083162; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain hannah-fink.de"; dns.query; content:"hannah-fink.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])hannah\-fink\.de$/i"; classtype:trojan-activity; sid:4083171; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain hannah-fink.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hannah-fink.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hannah\-fink\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083172; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain tanzprojekt.com"; dns.query; content:"tanzprojekt.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])tanzprojekt\.com$/i"; classtype:trojan-activity; sid:4083181; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain tanzprojekt.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tanzprojekt.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tanzprojekt\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083182; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain lbcframingelectrical.com"; dns.query; content:"lbcframingelectrical.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])lbcframingelectrical\.com$/i"; classtype:trojan-activity; sid:4083191; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain lbcframingelectrical.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lbcframingelectrical.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lbcframingelectrical\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083192; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain baronloan.org"; dns.query; content:"baronloan.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])baronloan\.org$/i"; classtype:trojan-activity; sid:4083201; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain baronloan.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"baronloan.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])baronloan\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083202; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain buymedical.biz"; dns.query; content:"buymedical.biz"; nocase; pcre: "/(^|[^A-Za-z0-9-])buymedical\.biz$/i"; classtype:trojan-activity; sid:4083211; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain buymedical.biz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"buymedical.biz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])buymedical\.biz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083212; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain moveonnews.com"; dns.query; content:"moveonnews.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])moveonnews\.com$/i"; classtype:trojan-activity; sid:4083221; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain moveonnews.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"moveonnews.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])moveonnews\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083222; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname crowd-patch.co.uk"; dns.query; content:"crowd-patch.co.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])crowd\-patch\.co\.uk$/i"; classtype:trojan-activity; sid:4083231; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname crowd-patch.co.uk"; flow:to_server,established; http.header; content: "Host|3a| crowd-patch.co.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])crowd\-patch\.co\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083232; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain kirkepartner.dk"; dns.query; content:"kirkepartner.dk"; nocase; pcre: "/(^|[^A-Za-z0-9-])kirkepartner\.dk$/i"; classtype:trojan-activity; sid:4083241; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain kirkepartner.dk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kirkepartner.dk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kirkepartner\.dk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083242; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname classycurtainsltd.co.uk"; dns.query; content:"classycurtainsltd.co.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])classycurtainsltd\.co\.uk$/i"; classtype:trojan-activity; sid:4083251; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname classycurtainsltd.co.uk"; flow:to_server,established; http.header; content: "Host|3a| classycurtainsltd.co.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])classycurtainsltd\.co\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083252; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain admos-gleitlager.de"; dns.query; content:"admos-gleitlager.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])admos\-gleitlager\.de$/i"; classtype:trojan-activity; sid:4083261; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain admos-gleitlager.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"admos-gleitlager.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])admos\-gleitlager\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083262; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain midmohandyman.com"; dns.query; content:"midmohandyman.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])midmohandyman\.com$/i"; classtype:trojan-activity; sid:4083271; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain midmohandyman.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"midmohandyman.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])midmohandyman\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083272; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain lucidinvestbank.com"; dns.query; content:"lucidinvestbank.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])lucidinvestbank\.com$/i"; classtype:trojan-activity; sid:4083281; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain lucidinvestbank.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lucidinvestbank.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lucidinvestbank\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083282; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain philippedebroca.com"; dns.query; content:"philippedebroca.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])philippedebroca\.com$/i"; classtype:trojan-activity; sid:4083291; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain philippedebroca.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"philippedebroca.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])philippedebroca\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083292; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain fairfriends18.de"; dns.query; content:"fairfriends18.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])fairfriends18\.de$/i"; classtype:trojan-activity; sid:4083301; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain fairfriends18.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fairfriends18.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fairfriends18\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083302; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain waermetauscher-berechnen.de"; dns.query; content:"waermetauscher-berechnen.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])waermetauscher\-berechnen\.de$/i"; classtype:trojan-activity; sid:4083311; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain waermetauscher-berechnen.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"waermetauscher-berechnen.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])waermetauscher\-berechnen\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083312; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain heidelbergartstudio.gallery"; dns.query; content:"heidelbergartstudio.gallery"; nocase; pcre: "/(^|[^A-Za-z0-9-])heidelbergartstudio\.gallery$/i"; classtype:trojan-activity; sid:4083321; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain heidelbergartstudio.gallery"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"heidelbergartstudio.gallery"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])heidelbergartstudio\.gallery[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083322; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain jerling.de"; dns.query; content:"jerling.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])jerling\.de$/i"; classtype:trojan-activity; sid:4083331; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain jerling.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jerling.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jerling\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083332; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain lescomtesdemean.be"; dns.query; content:"lescomtesdemean.be"; nocase; pcre: "/(^|[^A-Za-z0-9-])lescomtesdemean\.be$/i"; classtype:trojan-activity; sid:4083341; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain lescomtesdemean.be"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lescomtesdemean.be"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lescomtesdemean\.be[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083342; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain socialonemedia.com"; dns.query; content:"socialonemedia.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])socialonemedia\.com$/i"; classtype:trojan-activity; sid:4083351; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain socialonemedia.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"socialonemedia.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])socialonemedia\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083352; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname epwritescom.wordpress.com"; dns.query; content:"epwritescom.wordpress.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])epwritescom\.wordpress\.com$/i"; classtype:trojan-activity; sid:4083361; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname epwritescom.wordpress.com"; flow:to_server,established; http.header; content: "Host|3a| epwritescom.wordpress.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])epwritescom\.wordpress\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083362; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname cwsitservices.co.uk"; dns.query; content:"cwsitservices.co.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cwsitservices\.co\.uk$/i"; classtype:trojan-activity; sid:4083371; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname cwsitservices.co.uk"; flow:to_server,established; http.header; content: "Host|3a| cwsitservices.co.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cwsitservices\.co\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083372; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain dpo-as-a-service.com"; dns.query; content:"dpo-as-a-service.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])dpo\-as\-a\-service\.com$/i"; classtype:trojan-activity; sid:4083381; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain dpo-as-a-service.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dpo-as-a-service.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dpo\-as\-a\-service\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083382; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain homng.net"; dns.query; content:"homng.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])homng\.net$/i"; classtype:trojan-activity; sid:4083391; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain homng.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"homng.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])homng\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083392; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain lusak.at"; dns.query; content:"lusak.at"; nocase; pcre: "/(^|[^A-Za-z0-9-])lusak\.at$/i"; classtype:trojan-activity; sid:4083401; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain lusak.at"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lusak.at"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lusak\.at[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083402; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain servicegsm.net"; dns.query; content:"servicegsm.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])servicegsm\.net$/i"; classtype:trojan-activity; sid:4083411; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain servicegsm.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"servicegsm.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])servicegsm\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083412; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain helikoptervluchtnewyork.nl"; dns.query; content:"helikoptervluchtnewyork.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])helikoptervluchtnewyork\.nl$/i"; classtype:trojan-activity; sid:4083421; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain helikoptervluchtnewyork.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"helikoptervluchtnewyork.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])helikoptervluchtnewyork\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083422; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain chaotrang.com"; dns.query; content:"chaotrang.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])chaotrang\.com$/i"; classtype:trojan-activity; sid:4083431; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain chaotrang.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"chaotrang.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])chaotrang\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083432; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain femxarxa.cat"; dns.query; content:"femxarxa.cat"; nocase; pcre: "/(^|[^A-Za-z0-9-])femxarxa\.cat$/i"; classtype:trojan-activity; sid:4083441; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain femxarxa.cat"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"femxarxa.cat"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])femxarxa\.cat[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083442; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname johnsonfamilyfarmblog.wordpress.com"; dns.query; content:"johnsonfamilyfarmblog.wordpress.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])johnsonfamilyfarmblog\.wordpress\.com$/i"; classtype:trojan-activity; sid:4083451; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname johnsonfamilyfarmblog.wordpress.com"; flow:to_server,established; http.header; content: "Host|3a| johnsonfamilyfarmblog.wordpress.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])johnsonfamilyfarmblog\.wordpress\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083452; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain bookspeopleplaces.com"; dns.query; content:"bookspeopleplaces.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bookspeopleplaces\.com$/i"; classtype:trojan-activity; sid:4083461; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain bookspeopleplaces.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bookspeopleplaces.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bookspeopleplaces\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083462; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain craigvalentineacademy.com"; dns.query; content:"craigvalentineacademy.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])craigvalentineacademy\.com$/i"; classtype:trojan-activity; sid:4083471; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain craigvalentineacademy.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"craigvalentineacademy.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])craigvalentineacademy\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083472; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain homesdollar.com"; dns.query; content:"homesdollar.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])homesdollar\.com$/i"; classtype:trojan-activity; sid:4083481; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain homesdollar.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"homesdollar.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])homesdollar\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083482; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain friendsandbrgrs.com"; dns.query; content:"friendsandbrgrs.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])friendsandbrgrs\.com$/i"; classtype:trojan-activity; sid:4083491; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain friendsandbrgrs.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"friendsandbrgrs.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])friendsandbrgrs\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083492; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain pv-design.de"; dns.query; content:"pv-design.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])pv\-design\.de$/i"; classtype:trojan-activity; sid:4083501; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain pv-design.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pv-design.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pv\-design\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083502; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain thenewrejuveme.com"; dns.query; content:"thenewrejuveme.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])thenewrejuveme\.com$/i"; classtype:trojan-activity; sid:4083511; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain thenewrejuveme.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"thenewrejuveme.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])thenewrejuveme\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083512; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain kao.at"; dns.query; content:"kao.at"; nocase; pcre: "/(^|[^A-Za-z0-9-])kao\.at$/i"; classtype:trojan-activity; sid:4083521; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain kao.at"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kao.at"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kao\.at[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083522; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain samnewbyjax.com"; dns.query; content:"samnewbyjax.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])samnewbyjax\.com$/i"; classtype:trojan-activity; sid:4083531; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain samnewbyjax.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"samnewbyjax.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])samnewbyjax\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083532; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain asteriag.com"; dns.query; content:"asteriag.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])asteriag\.com$/i"; classtype:trojan-activity; sid:4083541; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain asteriag.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"asteriag.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])asteriag\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083542; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain farhaani.com"; dns.query; content:"farhaani.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])farhaani\.com$/i"; classtype:trojan-activity; sid:4083551; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain farhaani.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"farhaani.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])farhaani\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083552; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain unim.su"; dns.query; content:"unim.su"; nocase; pcre: "/(^|[^A-Za-z0-9-])unim\.su$/i"; classtype:trojan-activity; sid:4083561; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain unim.su"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"unim.su"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])unim\.su[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083562; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain sobreholanda.com"; dns.query; content:"sobreholanda.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sobreholanda\.com$/i"; classtype:trojan-activity; sid:4083571; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain sobreholanda.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sobreholanda.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sobreholanda\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083572; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain maineemploymentlawyerblog.com"; dns.query; content:"maineemploymentlawyerblog.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])maineemploymentlawyerblog\.com$/i"; classtype:trojan-activity; sid:4083581; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain maineemploymentlawyerblog.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"maineemploymentlawyerblog.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])maineemploymentlawyerblog\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083582; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain tulsawaterheaterinstallation.com"; dns.query; content:"tulsawaterheaterinstallation.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])tulsawaterheaterinstallation\.com$/i"; classtype:trojan-activity; sid:4083591; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain tulsawaterheaterinstallation.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tulsawaterheaterinstallation.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tulsawaterheaterinstallation\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083592; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ra-staudte.de"; dns.query; content:"ra-staudte.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])ra\-staudte\.de$/i"; classtype:trojan-activity; sid:4083601; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ra-staudte.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ra-staudte.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ra\-staudte\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083602; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain klusbeter.nl"; dns.query; content:"klusbeter.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])klusbeter\.nl$/i"; classtype:trojan-activity; sid:4083611; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain klusbeter.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"klusbeter.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])klusbeter\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083612; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain bierensgebakkramen.nl"; dns.query; content:"bierensgebakkramen.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])bierensgebakkramen\.nl$/i"; classtype:trojan-activity; sid:4083621; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain bierensgebakkramen.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bierensgebakkramen.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bierensgebakkramen\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083622; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain baustb.de"; dns.query; content:"baustb.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])baustb\.de$/i"; classtype:trojan-activity; sid:4083631; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain baustb.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"baustb.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])baustb\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083632; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain paymybill.guru"; dns.query; content:"paymybill.guru"; nocase; pcre: "/(^|[^A-Za-z0-9-])paymybill\.guru$/i"; classtype:trojan-activity; sid:4083641; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain paymybill.guru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"paymybill.guru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])paymybill\.guru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083642; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain centuryrs.com"; dns.query; content:"centuryrs.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])centuryrs\.com$/i"; classtype:trojan-activity; sid:4083651; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain centuryrs.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"centuryrs.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])centuryrs\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083652; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain artallnightdc.com"; dns.query; content:"artallnightdc.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])artallnightdc\.com$/i"; classtype:trojan-activity; sid:4083661; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain artallnightdc.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"artallnightdc.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])artallnightdc\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083662; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain slupetzky.at"; dns.query; content:"slupetzky.at"; nocase; pcre: "/(^|[^A-Za-z0-9-])slupetzky\.at$/i"; classtype:trojan-activity; sid:4083671; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain slupetzky.at"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"slupetzky.at"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])slupetzky\.at[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083672; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ivivo.es"; dns.query; content:"ivivo.es"; nocase; pcre: "/(^|[^A-Za-z0-9-])ivivo\.es$/i"; classtype:trojan-activity; sid:4083681; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ivivo.es"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ivivo.es"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ivivo\.es[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083682; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain highlinesouthasc.com"; dns.query; content:"highlinesouthasc.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])highlinesouthasc\.com$/i"; classtype:trojan-activity; sid:4083691; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain highlinesouthasc.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"highlinesouthasc.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])highlinesouthasc\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083692; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain kamienny-dywan24.pl"; dns.query; content:"kamienny-dywan24.pl"; nocase; pcre: "/(^|[^A-Za-z0-9-])kamienny\-dywan24\.pl$/i"; classtype:trojan-activity; sid:4083701; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain kamienny-dywan24.pl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kamienny-dywan24.pl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kamienny\-dywan24\.pl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083702; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain vancouver-print.ca"; dns.query; content:"vancouver-print.ca"; nocase; pcre: "/(^|[^A-Za-z0-9-])vancouver\-print\.ca$/i"; classtype:trojan-activity; sid:4083711; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain vancouver-print.ca"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vancouver-print.ca"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vancouver\-print\.ca[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083712; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain autodemontagenijmegen.nl"; dns.query; content:"autodemontagenijmegen.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])autodemontagenijmegen\.nl$/i"; classtype:trojan-activity; sid:4083721; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain autodemontagenijmegen.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"autodemontagenijmegen.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])autodemontagenijmegen\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083722; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain deltacleta.cat"; dns.query; content:"deltacleta.cat"; nocase; pcre: "/(^|[^A-Za-z0-9-])deltacleta\.cat$/i"; classtype:trojan-activity; sid:4083731; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain deltacleta.cat"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"deltacleta.cat"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])deltacleta\.cat[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083732; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain rozemondcoaching.nl"; dns.query; content:"rozemondcoaching.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])rozemondcoaching\.nl$/i"; classtype:trojan-activity; sid:4083741; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain rozemondcoaching.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"rozemondcoaching.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])rozemondcoaching\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083742; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain nosuchthingasgovernment.com"; dns.query; content:"nosuchthingasgovernment.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])nosuchthingasgovernment\.com$/i"; classtype:trojan-activity; sid:4083751; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain nosuchthingasgovernment.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nosuchthingasgovernment.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nosuchthingasgovernment\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083752; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain christ-michael.net"; dns.query; content:"christ-michael.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])christ\-michael\.net$/i"; classtype:trojan-activity; sid:4083761; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain christ-michael.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"christ-michael.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])christ\-michael\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083762; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain vitavia.lt"; dns.query; content:"vitavia.lt"; nocase; pcre: "/(^|[^A-Za-z0-9-])vitavia\.lt$/i"; classtype:trojan-activity; sid:4083771; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain vitavia.lt"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vitavia.lt"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vitavia\.lt[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083772; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain boompinoy.com"; dns.query; content:"boompinoy.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])boompinoy\.com$/i"; classtype:trojan-activity; sid:4083781; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain boompinoy.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"boompinoy.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])boompinoy\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083782; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain loprus.pl"; dns.query; content:"loprus.pl"; nocase; pcre: "/(^|[^A-Za-z0-9-])loprus\.pl$/i"; classtype:trojan-activity; sid:4083791; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain loprus.pl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"loprus.pl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])loprus\.pl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083792; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain yassir.pro"; dns.query; content:"yassir.pro"; nocase; pcre: "/(^|[^A-Za-z0-9-])yassir\.pro$/i"; classtype:trojan-activity; sid:4083801; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain yassir.pro"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"yassir.pro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])yassir\.pro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083802; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname wsoil.com.sg"; dns.query; content:"wsoil.com.sg"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])wsoil\.com\.sg$/i"; classtype:trojan-activity; sid:4083811; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname wsoil.com.sg"; flow:to_server,established; http.header; content: "Host|3a| wsoil.com.sg"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])wsoil\.com\.sg[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083812; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain siluet-decor.ru"; dns.query; content:"siluet-decor.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])siluet\-decor\.ru$/i"; classtype:trojan-activity; sid:4083821; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain siluet-decor.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"siluet-decor.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])siluet\-decor\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083822; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain katketytaanet.fi"; dns.query; content:"katketytaanet.fi"; nocase; pcre: "/(^|[^A-Za-z0-9-])katketytaanet\.fi$/i"; classtype:trojan-activity; sid:4083831; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain katketytaanet.fi"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"katketytaanet.fi"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])katketytaanet\.fi[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083832; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain karacaoglu.nl"; dns.query; content:"karacaoglu.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])karacaoglu\.nl$/i"; classtype:trojan-activity; sid:4083841; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain karacaoglu.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"karacaoglu.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])karacaoglu\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083842; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain trackyourconstruction.com"; dns.query; content:"trackyourconstruction.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])trackyourconstruction\.com$/i"; classtype:trojan-activity; sid:4083851; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain trackyourconstruction.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"trackyourconstruction.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])trackyourconstruction\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083852; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain frontierweldingllc.com"; dns.query; content:"frontierweldingllc.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])frontierweldingllc\.com$/i"; classtype:trojan-activity; sid:4083861; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain frontierweldingllc.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"frontierweldingllc.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])frontierweldingllc\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083862; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain partnertaxi.sk"; dns.query; content:"partnertaxi.sk"; nocase; pcre: "/(^|[^A-Za-z0-9-])partnertaxi\.sk$/i"; classtype:trojan-activity; sid:4083881; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain partnertaxi.sk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"partnertaxi.sk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])partnertaxi\.sk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083882; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain centromarysalud.com"; dns.query; content:"centromarysalud.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])centromarysalud\.com$/i"; classtype:trojan-activity; sid:4083891; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain centromarysalud.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"centromarysalud.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])centromarysalud\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083892; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain testzandbakmetmening.online"; dns.query; content:"testzandbakmetmening.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])testzandbakmetmening\.online$/i"; classtype:trojan-activity; sid:4083901; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain testzandbakmetmening.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"testzandbakmetmening.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])testzandbakmetmening\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083902; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain the-domain-trader.com"; dns.query; content:"the-domain-trader.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])the\-domain\-trader\.com$/i"; classtype:trojan-activity; sid:4083911; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain the-domain-trader.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"the-domain-trader.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])the\-domain\-trader\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083912; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ontrailsandboulevards.com"; dns.query; content:"ontrailsandboulevards.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ontrailsandboulevards\.com$/i"; classtype:trojan-activity; sid:4083921; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ontrailsandboulevards.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ontrailsandboulevards.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ontrailsandboulevards\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083922; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain wmiadmin.com"; dns.query; content:"wmiadmin.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])wmiadmin\.com$/i"; classtype:trojan-activity; sid:4083931; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain wmiadmin.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wmiadmin.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wmiadmin\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083932; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname dramagickcom.wordpress.com"; dns.query; content:"dramagickcom.wordpress.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dramagickcom\.wordpress\.com$/i"; classtype:trojan-activity; sid:4083941; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname dramagickcom.wordpress.com"; flow:to_server,established; http.header; content: "Host|3a| dramagickcom.wordpress.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dramagickcom\.wordpress\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083942; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain hrabritelefon.hr"; dns.query; content:"hrabritelefon.hr"; nocase; pcre: "/(^|[^A-Za-z0-9-])hrabritelefon\.hr$/i"; classtype:trojan-activity; sid:4083951; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain hrabritelefon.hr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hrabritelefon.hr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hrabritelefon\.hr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083952; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain i-arslan.de"; dns.query; content:"i-arslan.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])i\-arslan\.de$/i"; classtype:trojan-activity; sid:4083961; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain i-arslan.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"i-arslan.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])i\-arslan\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083962; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain dr-seleznev.com"; dns.query; content:"dr-seleznev.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])dr\-seleznev\.com$/i"; classtype:trojan-activity; sid:4083971; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain dr-seleznev.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dr-seleznev.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dr\-seleznev\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083972; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain blumenhof-wegleitner.at"; dns.query; content:"blumenhof-wegleitner.at"; nocase; pcre: "/(^|[^A-Za-z0-9-])blumenhof\-wegleitner\.at$/i"; classtype:trojan-activity; sid:4083981; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain blumenhof-wegleitner.at"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"blumenhof-wegleitner.at"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])blumenhof\-wegleitner\.at[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083982; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain webmaster-peloton.com"; dns.query; content:"webmaster-peloton.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])webmaster\-peloton\.com$/i"; classtype:trojan-activity; sid:4083991; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain webmaster-peloton.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"webmaster-peloton.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])webmaster\-peloton\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4083992; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain n1-headache.com"; dns.query; content:"n1-headache.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])n1\-headache\.com$/i"; classtype:trojan-activity; sid:4084001; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain n1-headache.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"n1-headache.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])n1\-headache\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084002; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname hiddencitysecrets.com.au"; dns.query; content:"hiddencitysecrets.com.au"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])hiddencitysecrets\.com\.au$/i"; classtype:trojan-activity; sid:4084011; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname hiddencitysecrets.com.au"; flow:to_server,established; http.header; content: "Host|3a| hiddencitysecrets.com.au"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])hiddencitysecrets\.com\.au[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084012; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain outcomeisincome.com"; dns.query; content:"outcomeisincome.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])outcomeisincome\.com$/i"; classtype:trojan-activity; sid:4084021; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain outcomeisincome.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"outcomeisincome.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])outcomeisincome\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084022; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain hihaho.com"; dns.query; content:"hihaho.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])hihaho\.com$/i"; classtype:trojan-activity; sid:4084031; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain hihaho.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hihaho.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hihaho\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084032; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mercantedifiori.com"; dns.query; content:"mercantedifiori.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mercantedifiori\.com$/i"; classtype:trojan-activity; sid:4084041; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mercantedifiori.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mercantedifiori.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mercantedifiori\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084042; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain drnice.de"; dns.query; content:"drnice.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])drnice\.de$/i"; classtype:trojan-activity; sid:4084051; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain drnice.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"drnice.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])drnice\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084052; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain tecnojobsnet.com"; dns.query; content:"tecnojobsnet.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])tecnojobsnet\.com$/i"; classtype:trojan-activity; sid:4084061; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain tecnojobsnet.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tecnojobsnet.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tecnojobsnet\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084062; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain fax-payday-loans.com"; dns.query; content:"fax-payday-loans.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])fax\-payday\-loans\.com$/i"; classtype:trojan-activity; sid:4084071; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain fax-payday-loans.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fax-payday-loans.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fax\-payday\-loans\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084072; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain imperfectstore.com"; dns.query; content:"imperfectstore.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])imperfectstore\.com$/i"; classtype:trojan-activity; sid:4084081; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain imperfectstore.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"imperfectstore.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])imperfectstore\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084082; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain rebeccarisher.com"; dns.query; content:"rebeccarisher.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])rebeccarisher\.com$/i"; classtype:trojan-activity; sid:4084091; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain rebeccarisher.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"rebeccarisher.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])rebeccarisher\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084092; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain walkingdeadnj.com"; dns.query; content:"walkingdeadnj.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])walkingdeadnj\.com$/i"; classtype:trojan-activity; sid:4084101; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain walkingdeadnj.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"walkingdeadnj.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])walkingdeadnj\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084102; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain longislandelderlaw.com"; dns.query; content:"longislandelderlaw.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])longislandelderlaw\.com$/i"; classtype:trojan-activity; sid:4084111; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain longislandelderlaw.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"longislandelderlaw.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])longislandelderlaw\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084112; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain gasbarre.com"; dns.query; content:"gasbarre.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])gasbarre\.com$/i"; classtype:trojan-activity; sid:4084121; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain gasbarre.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gasbarre.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gasbarre\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084122; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mytechnoway.com"; dns.query; content:"mytechnoway.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mytechnoway\.com$/i"; classtype:trojan-activity; sid:4084131; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mytechnoway.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mytechnoway.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mytechnoway\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084132; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain 4youbeautysalon.com"; dns.query; content:"4youbeautysalon.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])4youbeautysalon\.com$/i"; classtype:trojan-activity; sid:4084141; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain 4youbeautysalon.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"4youbeautysalon.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])4youbeautysalon\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084142; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain catholicmusicfest.com"; dns.query; content:"catholicmusicfest.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])catholicmusicfest\.com$/i"; classtype:trojan-activity; sid:4084151; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain catholicmusicfest.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"catholicmusicfest.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])catholicmusicfest\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084152; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname kmbshipping.co.uk"; dns.query; content:"kmbshipping.co.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])kmbshipping\.co\.uk$/i"; classtype:trojan-activity; sid:4084161; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname kmbshipping.co.uk"; flow:to_server,established; http.header; content: "Host|3a| kmbshipping.co.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])kmbshipping\.co\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084162; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain vermoote.de"; dns.query; content:"vermoote.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])vermoote\.de$/i"; classtype:trojan-activity; sid:4084171; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain vermoote.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vermoote.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vermoote\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084172; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain sojamindbody.com"; dns.query; content:"sojamindbody.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sojamindbody\.com$/i"; classtype:trojan-activity; sid:4084181; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain sojamindbody.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sojamindbody.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sojamindbody\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084182; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain fizzl.ru"; dns.query; content:"fizzl.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])fizzl\.ru$/i"; classtype:trojan-activity; sid:4084191; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain fizzl.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fizzl.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fizzl\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084192; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain dushka.ua"; dns.query; content:"dushka.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])dushka\.ua$/i"; classtype:trojan-activity; sid:4084201; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain dushka.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dushka.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dushka\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084202; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname aniblinova.wordpress.com"; dns.query; content:"aniblinova.wordpress.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])aniblinova\.wordpress\.com$/i"; classtype:trojan-activity; sid:4084211; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname aniblinova.wordpress.com"; flow:to_server,established; http.header; content: "Host|3a| aniblinova.wordpress.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])aniblinova\.wordpress\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084212; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain irinaverwer.com"; dns.query; content:"irinaverwer.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])irinaverwer\.com$/i"; classtype:trojan-activity; sid:4084221; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain irinaverwer.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"irinaverwer.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])irinaverwer\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084222; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname bundabergeyeclinic.com.au"; dns.query; content:"bundabergeyeclinic.com.au"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bundabergeyeclinic\.com\.au$/i"; classtype:trojan-activity; sid:4084231; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname bundabergeyeclinic.com.au"; flow:to_server,established; http.header; content: "Host|3a| bundabergeyeclinic.com.au"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bundabergeyeclinic\.com\.au[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084232; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain aminaboutique247.com"; dns.query; content:"aminaboutique247.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])aminaboutique247\.com$/i"; classtype:trojan-activity; sid:4084241; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain aminaboutique247.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aminaboutique247.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aminaboutique247\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084242; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain aakritpatel.com"; dns.query; content:"aakritpatel.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])aakritpatel\.com$/i"; classtype:trojan-activity; sid:4084251; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain aakritpatel.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aakritpatel.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aakritpatel\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084252; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain jobcenterkenya.com"; dns.query; content:"jobcenterkenya.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])jobcenterkenya\.com$/i"; classtype:trojan-activity; sid:4084261; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain jobcenterkenya.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jobcenterkenya.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jobcenterkenya\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084262; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname leather-factory.co.jp"; dns.query; content:"leather-factory.co.jp"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])leather\-factory\.co\.jp$/i"; classtype:trojan-activity; sid:4084271; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname leather-factory.co.jp"; flow:to_server,established; http.header; content: "Host|3a| leather-factory.co.jp"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])leather\-factory\.co\.jp[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084272; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain strategicstatements.com"; dns.query; content:"strategicstatements.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])strategicstatements\.com$/i"; classtype:trojan-activity; sid:4084281; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain strategicstatements.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"strategicstatements.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])strategicstatements\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084282; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain blgr.be"; dns.query; content:"blgr.be"; nocase; pcre: "/(^|[^A-Za-z0-9-])blgr\.be$/i"; classtype:trojan-activity; sid:4084291; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain blgr.be"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"blgr.be"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])blgr\.be[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084292; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain celularity.com"; dns.query; content:"celularity.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])celularity\.com$/i"; classtype:trojan-activity; sid:4084301; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain celularity.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"celularity.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])celularity\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084302; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain streamerzradio1.site"; dns.query; content:"streamerzradio1.site"; nocase; pcre: "/(^|[^A-Za-z0-9-])streamerzradio1\.site$/i"; classtype:trojan-activity; sid:4084311; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain streamerzradio1.site"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"streamerzradio1.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])streamerzradio1\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084312; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain crediacces.com"; dns.query; content:"crediacces.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])crediacces\.com$/i"; classtype:trojan-activity; sid:4084321; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain crediacces.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"crediacces.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])crediacces\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084322; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain smessier.com"; dns.query; content:"smessier.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])smessier\.com$/i"; classtype:trojan-activity; sid:4084331; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain smessier.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"smessier.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])smessier\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084332; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain woodleyacademy.org"; dns.query; content:"woodleyacademy.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])woodleyacademy\.org$/i"; classtype:trojan-activity; sid:4084341; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain woodleyacademy.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"woodleyacademy.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])woodleyacademy\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084342; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain kikedeoliveira.com"; dns.query; content:"kikedeoliveira.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])kikedeoliveira\.com$/i"; classtype:trojan-activity; sid:4084351; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain kikedeoliveira.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kikedeoliveira.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kikedeoliveira\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084352; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mdacares.com"; dns.query; content:"mdacares.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mdacares\.com$/i"; classtype:trojan-activity; sid:4084361; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mdacares.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mdacares.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mdacares\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084362; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ditog.fr"; dns.query; content:"ditog.fr"; nocase; pcre: "/(^|[^A-Za-z0-9-])ditog\.fr$/i"; classtype:trojan-activity; sid:4084371; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ditog.fr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ditog.fr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ditog\.fr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084372; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain naturalrapids.com"; dns.query; content:"naturalrapids.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])naturalrapids\.com$/i"; classtype:trojan-activity; sid:4084381; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain naturalrapids.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"naturalrapids.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])naturalrapids\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084382; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain answerstest.ru"; dns.query; content:"answerstest.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])answerstest\.ru$/i"; classtype:trojan-activity; sid:4084391; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain answerstest.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"answerstest.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])answerstest\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084392; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain sevenadvertising.com"; dns.query; content:"sevenadvertising.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sevenadvertising\.com$/i"; classtype:trojan-activity; sid:4084401; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain sevenadvertising.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sevenadvertising.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sevenadvertising\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084402; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain behavioralmedicinespecialists.com"; dns.query; content:"behavioralmedicinespecialists.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])behavioralmedicinespecialists\.com$/i"; classtype:trojan-activity; sid:4084411; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain behavioralmedicinespecialists.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"behavioralmedicinespecialists.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])behavioralmedicinespecialists\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084412; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain nhadatcanho247.com"; dns.query; content:"nhadatcanho247.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])nhadatcanho247\.com$/i"; classtype:trojan-activity; sid:4084421; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain nhadatcanho247.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nhadatcanho247.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nhadatcanho247\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084422; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain pcp-nc.com"; dns.query; content:"pcp-nc.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pcp\-nc\.com$/i"; classtype:trojan-activity; sid:4084431; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain pcp-nc.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pcp-nc.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pcp\-nc\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084432; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain triggi.de"; dns.query; content:"triggi.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])triggi\.de$/i"; classtype:trojan-activity; sid:4084441; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain triggi.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"triggi.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])triggi\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084442; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain vloeren-nu.nl"; dns.query; content:"vloeren-nu.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])vloeren\-nu\.nl$/i"; classtype:trojan-activity; sid:4084451; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain vloeren-nu.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vloeren-nu.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vloeren\-nu\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084452; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain freie-gewerkschaften.de"; dns.query; content:"freie-gewerkschaften.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])freie\-gewerkschaften\.de$/i"; classtype:trojan-activity; sid:4084461; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain freie-gewerkschaften.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"freie-gewerkschaften.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])freie\-gewerkschaften\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084462; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain fatfreezingmachines.com"; dns.query; content:"fatfreezingmachines.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])fatfreezingmachines\.com$/i"; classtype:trojan-activity; sid:4084471; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain fatfreezingmachines.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fatfreezingmachines.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fatfreezingmachines\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084472; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain fitovitaforum.com"; dns.query; content:"fitovitaforum.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])fitovitaforum\.com$/i"; classtype:trojan-activity; sid:4084481; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain fitovitaforum.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fitovitaforum.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fitovitaforum\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084482; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain commercialboatbuilding.com"; dns.query; content:"commercialboatbuilding.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])commercialboatbuilding\.com$/i"; classtype:trojan-activity; sid:4084491; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain commercialboatbuilding.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"commercialboatbuilding.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])commercialboatbuilding\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084492; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain leeuwardenstudentcity.nl"; dns.query; content:"leeuwardenstudentcity.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])leeuwardenstudentcity\.nl$/i"; classtype:trojan-activity; sid:4084501; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain leeuwardenstudentcity.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"leeuwardenstudentcity.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])leeuwardenstudentcity\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084502; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain koko-nora.dk"; dns.query; content:"koko-nora.dk"; nocase; pcre: "/(^|[^A-Za-z0-9-])koko\-nora\.dk$/i"; classtype:trojan-activity; sid:4084511; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain koko-nora.dk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"koko-nora.dk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])koko\-nora\.dk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084512; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain associacioesportivapolitg.cat"; dns.query; content:"associacioesportivapolitg.cat"; nocase; pcre: "/(^|[^A-Za-z0-9-])associacioesportivapolitg\.cat$/i"; classtype:trojan-activity; sid:4084521; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain associacioesportivapolitg.cat"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"associacioesportivapolitg.cat"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])associacioesportivapolitg\.cat[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084522; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain lillegrandpalais.com"; dns.query; content:"lillegrandpalais.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])lillegrandpalais\.com$/i"; classtype:trojan-activity; sid:4084531; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain lillegrandpalais.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lillegrandpalais.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lillegrandpalais\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084532; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain dr-pipi.de"; dns.query; content:"dr-pipi.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])dr\-pipi\.de$/i"; classtype:trojan-activity; sid:4084541; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain dr-pipi.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dr-pipi.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dr\-pipi\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084542; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain baylegacy.com"; dns.query; content:"baylegacy.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])baylegacy\.com$/i"; classtype:trojan-activity; sid:4084551; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain baylegacy.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"baylegacy.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])baylegacy\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084552; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain freie-baugutachterpraxis.de"; dns.query; content:"freie-baugutachterpraxis.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])freie\-baugutachterpraxis\.de$/i"; classtype:trojan-activity; sid:4084561; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain freie-baugutachterpraxis.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"freie-baugutachterpraxis.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])freie\-baugutachterpraxis\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084562; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain westdeptfordbuyrite.com"; dns.query; content:"westdeptfordbuyrite.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])westdeptfordbuyrite\.com$/i"; classtype:trojan-activity; sid:4084571; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain westdeptfordbuyrite.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"westdeptfordbuyrite.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])westdeptfordbuyrite\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084572; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain remcakram.com"; dns.query; content:"remcakram.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])remcakram\.com$/i"; classtype:trojan-activity; sid:4084581; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain remcakram.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"remcakram.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])remcakram\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084582; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain hushavefritid.dk"; dns.query; content:"hushavefritid.dk"; nocase; pcre: "/(^|[^A-Za-z0-9-])hushavefritid\.dk$/i"; classtype:trojan-activity; sid:4084591; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain hushavefritid.dk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hushavefritid.dk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hushavefritid\.dk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084592; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain hhcourier.com"; dns.query; content:"hhcourier.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])hhcourier\.com$/i"; classtype:trojan-activity; sid:4084601; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain hhcourier.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hhcourier.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hhcourier\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084602; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain flexicloud.hk"; dns.query; content:"flexicloud.hk"; nocase; pcre: "/(^|[^A-Za-z0-9-])flexicloud\.hk$/i"; classtype:trojan-activity; sid:4084611; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain flexicloud.hk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"flexicloud.hk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])flexicloud\.hk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084612; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ravensnesthomegoods.com"; dns.query; content:"ravensnesthomegoods.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ravensnesthomegoods\.com$/i"; classtype:trojan-activity; sid:4084621; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ravensnesthomegoods.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ravensnesthomegoods.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ravensnesthomegoods\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084622; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain kath-kirche-gera.de"; dns.query; content:"kath-kirche-gera.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])kath\-kirche\-gera\.de$/i"; classtype:trojan-activity; sid:4084631; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain kath-kirche-gera.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kath-kirche-gera.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kath\-kirche\-gera\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084632; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain financescorecard.com"; dns.query; content:"financescorecard.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])financescorecard\.com$/i"; classtype:trojan-activity; sid:4084641; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain financescorecard.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"financescorecard.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])financescorecard\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084642; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain team-montage.dk"; dns.query; content:"team-montage.dk"; nocase; pcre: "/(^|[^A-Za-z0-9-])team\-montage\.dk$/i"; classtype:trojan-activity; sid:4084651; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain team-montage.dk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"team-montage.dk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])team\-montage\.dk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084652; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain newyou.at"; dns.query; content:"newyou.at"; nocase; pcre: "/(^|[^A-Za-z0-9-])newyou\.at$/i"; classtype:trojan-activity; sid:4084661; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain newyou.at"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"newyou.at"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])newyou\.at[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084662; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain iqbalscientific.com"; dns.query; content:"iqbalscientific.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])iqbalscientific\.com$/i"; classtype:trojan-activity; sid:4084671; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain iqbalscientific.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"iqbalscientific.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])iqbalscientific\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084672; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain 123vrachi.ru"; dns.query; content:"123vrachi.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])123vrachi\.ru$/i"; classtype:trojan-activity; sid:4084681; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain 123vrachi.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"123vrachi.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])123vrachi\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084682; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain balticdentists.com"; dns.query; content:"balticdentists.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])balticdentists\.com$/i"; classtype:trojan-activity; sid:4084691; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain balticdentists.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"balticdentists.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])balticdentists\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084692; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain maureenbreezedancetheater.org"; dns.query; content:"maureenbreezedancetheater.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])maureenbreezedancetheater\.org$/i"; classtype:trojan-activity; sid:4084701; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain maureenbreezedancetheater.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"maureenbreezedancetheater.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])maureenbreezedancetheater\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084702; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ncs-graphic-studio.com"; dns.query; content:"ncs-graphic-studio.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ncs\-graphic\-studio\.com$/i"; classtype:trojan-activity; sid:4084711; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ncs-graphic-studio.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ncs-graphic-studio.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ncs\-graphic\-studio\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084712; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain shhealthlaw.com"; dns.query; content:"shhealthlaw.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])shhealthlaw\.com$/i"; classtype:trojan-activity; sid:4084721; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain shhealthlaw.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"shhealthlaw.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])shhealthlaw\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084722; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname ymca-cw.org.uk"; dns.query; content:"ymca-cw.org.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ymca\-cw\.org\.uk$/i"; classtype:trojan-activity; sid:4084731; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname ymca-cw.org.uk"; flow:to_server,established; http.header; content: "Host|3a| ymca-cw.org.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ymca\-cw\.org\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084732; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname serce.info.pl"; dns.query; content:"serce.info.pl"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])serce\.info\.pl$/i"; classtype:trojan-activity; sid:4084741; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname serce.info.pl"; flow:to_server,established; http.header; content: "Host|3a| serce.info.pl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])serce\.info\.pl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084742; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain higadograsoweb.com"; dns.query; content:"higadograsoweb.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])higadograsoweb\.com$/i"; classtype:trojan-activity; sid:4084751; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain higadograsoweb.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"higadograsoweb.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])higadograsoweb\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084752; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain vibethink.net"; dns.query; content:"vibethink.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])vibethink\.net$/i"; classtype:trojan-activity; sid:4084761; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain vibethink.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vibethink.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vibethink\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084762; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain eraorastudio.com"; dns.query; content:"eraorastudio.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])eraorastudio\.com$/i"; classtype:trojan-activity; sid:4084771; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain eraorastudio.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"eraorastudio.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])eraorastudio\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084772; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain edelman.jp"; dns.query; content:"edelman.jp"; nocase; pcre: "/(^|[^A-Za-z0-9-])edelman\.jp$/i"; classtype:trojan-activity; sid:4084781; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain edelman.jp"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"edelman.jp"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])edelman\.jp[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084782; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain elpa.se"; dns.query; content:"elpa.se"; nocase; pcre: "/(^|[^A-Za-z0-9-])elpa\.se$/i"; classtype:trojan-activity; sid:4084791; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain elpa.se"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"elpa.se"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])elpa\.se[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084792; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain stampagrafica.es"; dns.query; content:"stampagrafica.es"; nocase; pcre: "/(^|[^A-Za-z0-9-])stampagrafica\.es$/i"; classtype:trojan-activity; sid:4084801; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain stampagrafica.es"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"stampagrafica.es"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])stampagrafica\.es[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084802; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain boldcitydowntown.com"; dns.query; content:"boldcitydowntown.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])boldcitydowntown\.com$/i"; classtype:trojan-activity; sid:4084811; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain boldcitydowntown.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"boldcitydowntown.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])boldcitydowntown\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084812; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain rosavalamedahr.com"; dns.query; content:"rosavalamedahr.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])rosavalamedahr\.com$/i"; classtype:trojan-activity; sid:4084821; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain rosavalamedahr.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"rosavalamedahr.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])rosavalamedahr\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084822; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname ralister.co.uk"; dns.query; content:"ralister.co.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ralister\.co\.uk$/i"; classtype:trojan-activity; sid:4084831; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname ralister.co.uk"; flow:to_server,established; http.header; content: "Host|3a| ralister.co.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ralister\.co\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084832; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain poultrypartners.nl"; dns.query; content:"poultrypartners.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])poultrypartners\.nl$/i"; classtype:trojan-activity; sid:4084841; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain poultrypartners.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"poultrypartners.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])poultrypartners\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084842; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname delchacay.com.ar"; dns.query; content:"delchacay.com.ar"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])delchacay\.com\.ar$/i"; classtype:trojan-activity; sid:4084851; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname delchacay.com.ar"; flow:to_server,established; http.header; content: "Host|3a| delchacay.com.ar"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])delchacay\.com\.ar[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084852; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname simpkinsedwards.co.uk"; dns.query; content:"simpkinsedwards.co.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])simpkinsedwards\.co\.uk$/i"; classtype:trojan-activity; sid:4084861; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname simpkinsedwards.co.uk"; flow:to_server,established; http.header; content: "Host|3a| simpkinsedwards.co.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])simpkinsedwards\.co\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084862; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain dubnew.com"; dns.query; content:"dubnew.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])dubnew\.com$/i"; classtype:trojan-activity; sid:4084871; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain dubnew.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dubnew.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dubnew\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084872; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain lenreactiv-shop.ru"; dns.query; content:"lenreactiv-shop.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])lenreactiv\-shop\.ru$/i"; classtype:trojan-activity; sid:4084881; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain lenreactiv-shop.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lenreactiv-shop.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lenreactiv\-shop\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084882; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain galleryartfair.com"; dns.query; content:"galleryartfair.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])galleryartfair\.com$/i"; classtype:trojan-activity; sid:4084891; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain galleryartfair.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"galleryartfair.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])galleryartfair\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084892; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain tinkoff-mobayl.ru"; dns.query; content:"tinkoff-mobayl.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])tinkoff\-mobayl\.ru$/i"; classtype:trojan-activity; sid:4084901; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain tinkoff-mobayl.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tinkoff-mobayl.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tinkoff\-mobayl\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084902; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain launchhubl.com"; dns.query; content:"launchhubl.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])launchhubl\.com$/i"; classtype:trojan-activity; sid:4084911; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain launchhubl.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"launchhubl.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])launchhubl\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084912; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain myhostcloud.com"; dns.query; content:"myhostcloud.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])myhostcloud\.com$/i"; classtype:trojan-activity; sid:4084921; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain myhostcloud.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"myhostcloud.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])myhostcloud\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084922; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain verifort-capital.de"; dns.query; content:"verifort-capital.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])verifort\-capital\.de$/i"; classtype:trojan-activity; sid:4084931; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain verifort-capital.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"verifort-capital.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])verifort\-capital\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084932; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain entopic.com"; dns.query; content:"entopic.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])entopic\.com$/i"; classtype:trojan-activity; sid:4084941; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain entopic.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"entopic.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])entopic\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084942; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain spylista.com"; dns.query; content:"spylista.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])spylista\.com$/i"; classtype:trojan-activity; sid:4084951; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain spylista.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"spylista.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])spylista\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084952; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain xltyu.com"; dns.query; content:"xltyu.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])xltyu\.com$/i"; classtype:trojan-activity; sid:4084961; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain xltyu.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"xltyu.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])xltyu\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084962; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain kaminscy.com"; dns.query; content:"kaminscy.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])kaminscy\.com$/i"; classtype:trojan-activity; sid:4084971; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain kaminscy.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kaminscy.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kaminscy\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084972; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain kevinjodea.com"; dns.query; content:"kevinjodea.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])kevinjodea\.com$/i"; classtype:trojan-activity; sid:4084981; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain kevinjodea.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kevinjodea.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kevinjodea\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084982; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain muamuadolls.com"; dns.query; content:"muamuadolls.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])muamuadolls\.com$/i"; classtype:trojan-activity; sid:4084991; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain muamuadolls.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"muamuadolls.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])muamuadolls\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4084992; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain autodujos.lt"; dns.query; content:"autodujos.lt"; nocase; pcre: "/(^|[^A-Za-z0-9-])autodujos\.lt$/i"; classtype:trojan-activity; sid:4085001; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain autodujos.lt"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"autodujos.lt"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])autodujos\.lt[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085002; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain pickanose.com"; dns.query; content:"pickanose.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pickanose\.com$/i"; classtype:trojan-activity; sid:4085011; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain pickanose.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pickanose.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pickanose\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085012; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain bogdanpeptine.ro"; dns.query; content:"bogdanpeptine.ro"; nocase; pcre: "/(^|[^A-Za-z0-9-])bogdanpeptine\.ro$/i"; classtype:trojan-activity; sid:4085021; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain bogdanpeptine.ro"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bogdanpeptine.ro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bogdanpeptine\.ro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085022; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain homecomingstudio.com"; dns.query; content:"homecomingstudio.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])homecomingstudio\.com$/i"; classtype:trojan-activity; sid:4085031; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain homecomingstudio.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"homecomingstudio.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])homecomingstudio\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085032; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain odiclinic.org"; dns.query; content:"odiclinic.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])odiclinic\.org$/i"; classtype:trojan-activity; sid:4085041; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain odiclinic.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"odiclinic.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])odiclinic\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085042; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname hotelsolbh.com.br"; dns.query; content:"hotelsolbh.com.br"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])hotelsolbh\.com\.br$/i"; classtype:trojan-activity; sid:4085051; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname hotelsolbh.com.br"; flow:to_server,established; http.header; content: "Host|3a| hotelsolbh.com.br"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])hotelsolbh\.com\.br[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085052; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain bptdmaluku.com"; dns.query; content:"bptdmaluku.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bptdmaluku\.com$/i"; classtype:trojan-activity; sid:4085061; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain bptdmaluku.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bptdmaluku.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bptdmaluku\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085062; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain henricekupper.com"; dns.query; content:"henricekupper.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])henricekupper\.com$/i"; classtype:trojan-activity; sid:4085071; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain henricekupper.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"henricekupper.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])henricekupper\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085072; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain degroenetunnel.com"; dns.query; content:"degroenetunnel.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])degroenetunnel\.com$/i"; classtype:trojan-activity; sid:4085081; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain degroenetunnel.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"degroenetunnel.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])degroenetunnel\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085082; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain profectis.de"; dns.query; content:"profectis.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])profectis\.de$/i"; classtype:trojan-activity; sid:4085091; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain profectis.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"profectis.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])profectis\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085092; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain appsformacpc.com"; dns.query; content:"appsformacpc.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])appsformacpc\.com$/i"; classtype:trojan-activity; sid:4085101; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain appsformacpc.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"appsformacpc.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])appsformacpc\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085102; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain diversiapsicologia.es"; dns.query; content:"diversiapsicologia.es"; nocase; pcre: "/(^|[^A-Za-z0-9-])diversiapsicologia\.es$/i"; classtype:trojan-activity; sid:4085111; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain diversiapsicologia.es"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"diversiapsicologia.es"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])diversiapsicologia\.es[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085112; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain drfoyle.com"; dns.query; content:"drfoyle.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])drfoyle\.com$/i"; classtype:trojan-activity; sid:4085121; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain drfoyle.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"drfoyle.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])drfoyle\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085122; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ostheimer.at"; dns.query; content:"ostheimer.at"; nocase; pcre: "/(^|[^A-Za-z0-9-])ostheimer\.at$/i"; classtype:trojan-activity; sid:4085131; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ostheimer.at"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ostheimer.at"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ostheimer\.at[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085132; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain greenpark.ch"; dns.query; content:"greenpark.ch"; nocase; pcre: "/(^|[^A-Za-z0-9-])greenpark\.ch$/i"; classtype:trojan-activity; sid:4085141; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain greenpark.ch"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"greenpark.ch"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])greenpark\.ch[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085142; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain stormwall.se"; dns.query; content:"stormwall.se"; nocase; pcre: "/(^|[^A-Za-z0-9-])stormwall\.se$/i"; classtype:trojan-activity; sid:4085151; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain stormwall.se"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"stormwall.se"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])stormwall\.se[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085152; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain quemargrasa.net"; dns.query; content:"quemargrasa.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])quemargrasa\.net$/i"; classtype:trojan-activity; sid:4085161; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain quemargrasa.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"quemargrasa.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])quemargrasa\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085162; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain nijaplay.com"; dns.query; content:"nijaplay.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])nijaplay\.com$/i"; classtype:trojan-activity; sid:4085171; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain nijaplay.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nijaplay.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nijaplay\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085172; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain tastewilliamsburg.com"; dns.query; content:"tastewilliamsburg.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])tastewilliamsburg\.com$/i"; classtype:trojan-activity; sid:4085181; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain tastewilliamsburg.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tastewilliamsburg.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tastewilliamsburg\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085182; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain abogadosaccidentetraficosevilla.es"; dns.query; content:"abogadosaccidentetraficosevilla.es"; nocase; pcre: "/(^|[^A-Za-z0-9-])abogadosaccidentetraficosevilla\.es$/i"; classtype:trojan-activity; sid:4085191; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain abogadosaccidentetraficosevilla.es"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"abogadosaccidentetraficosevilla.es"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])abogadosaccidentetraficosevilla\.es[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085192; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain personalenhancementcenter.com"; dns.query; content:"personalenhancementcenter.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])personalenhancementcenter\.com$/i"; classtype:trojan-activity; sid:4085201; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain personalenhancementcenter.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"personalenhancementcenter.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])personalenhancementcenter\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085202; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain adultgamezone.com"; dns.query; content:"adultgamezone.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])adultgamezone\.com$/i"; classtype:trojan-activity; sid:4085211; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain adultgamezone.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"adultgamezone.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])adultgamezone\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085212; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ogdenvision.com"; dns.query; content:"ogdenvision.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ogdenvision\.com$/i"; classtype:trojan-activity; sid:4085221; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ogdenvision.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ogdenvision.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ogdenvision\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085222; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ecopro-kanto.com"; dns.query; content:"ecopro-kanto.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ecopro\-kanto\.com$/i"; classtype:trojan-activity; sid:4085231; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ecopro-kanto.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ecopro-kanto.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ecopro\-kanto\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085232; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain babcockchurch.org"; dns.query; content:"babcockchurch.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])babcockchurch\.org$/i"; classtype:trojan-activity; sid:4085241; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain babcockchurch.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"babcockchurch.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])babcockchurch\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085242; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain reddysbakery.com"; dns.query; content:"reddysbakery.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])reddysbakery\.com$/i"; classtype:trojan-activity; sid:4085251; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain reddysbakery.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"reddysbakery.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])reddysbakery\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085252; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain seagatesthreecharters.com"; dns.query; content:"seagatesthreecharters.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])seagatesthreecharters\.com$/i"; classtype:trojan-activity; sid:4085261; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain seagatesthreecharters.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"seagatesthreecharters.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])seagatesthreecharters\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085262; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname nicoleaeschbachorg.wordpress.com"; dns.query; content:"nicoleaeschbachorg.wordpress.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])nicoleaeschbachorg\.wordpress\.com$/i"; classtype:trojan-activity; sid:4085271; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname nicoleaeschbachorg.wordpress.com"; flow:to_server,established; http.header; content: "Host|3a| nicoleaeschbachorg.wordpress.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])nicoleaeschbachorg\.wordpress\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085272; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain real-estate-experts.com"; dns.query; content:"real-estate-experts.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])real\-estate\-experts\.com$/i"; classtype:trojan-activity; sid:4085281; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain real-estate-experts.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"real-estate-experts.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])real\-estate\-experts\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085282; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain imadarchid.com"; dns.query; content:"imadarchid.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])imadarchid\.com$/i"; classtype:trojan-activity; sid:4085301; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain imadarchid.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"imadarchid.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])imadarchid\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085302; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain tongdaifpthaiphong.net"; dns.query; content:"tongdaifpthaiphong.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])tongdaifpthaiphong\.net$/i"; classtype:trojan-activity; sid:4085311; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain tongdaifpthaiphong.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tongdaifpthaiphong.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tongdaifpthaiphong\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085312; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain kissit.ca"; dns.query; content:"kissit.ca"; nocase; pcre: "/(^|[^A-Za-z0-9-])kissit\.ca$/i"; classtype:trojan-activity; sid:4085321; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain kissit.ca"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kissit.ca"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kissit\.ca[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085322; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain littlebird.salon"; dns.query; content:"littlebird.salon"; nocase; pcre: "/(^|[^A-Za-z0-9-])littlebird\.salon$/i"; classtype:trojan-activity; sid:4085331; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain littlebird.salon"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"littlebird.salon"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])littlebird\.salon[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085332; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain kariokids.com"; dns.query; content:"kariokids.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])kariokids\.com$/i"; classtype:trojan-activity; sid:4085341; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain kariokids.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kariokids.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kariokids\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085342; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname ausbeverage.com.au"; dns.query; content:"ausbeverage.com.au"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ausbeverage\.com\.au$/i"; classtype:trojan-activity; sid:4085351; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname ausbeverage.com.au"; flow:to_server,established; http.header; content: "Host|3a| ausbeverage.com.au"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ausbeverage\.com\.au[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085352; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname lapmangfpt.info.vn"; dns.query; content:"lapmangfpt.info.vn"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])lapmangfpt\.info\.vn$/i"; classtype:trojan-activity; sid:4085361; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname lapmangfpt.info.vn"; flow:to_server,established; http.header; content: "Host|3a| lapmangfpt.info.vn"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])lapmangfpt\.info\.vn[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085362; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain crowcanyon.com"; dns.query; content:"crowcanyon.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])crowcanyon\.com$/i"; classtype:trojan-activity; sid:4085371; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain crowcanyon.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"crowcanyon.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])crowcanyon\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085372; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain alsace-first.com"; dns.query; content:"alsace-first.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])alsace\-first\.com$/i"; classtype:trojan-activity; sid:4085381; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain alsace-first.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"alsace-first.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])alsace\-first\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085382; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain southeasternacademyofprosthodontics.org"; dns.query; content:"southeasternacademyofprosthodontics.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])southeasternacademyofprosthodontics\.org$/i"; classtype:trojan-activity; sid:4085391; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain southeasternacademyofprosthodontics.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"southeasternacademyofprosthodontics.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])southeasternacademyofprosthodontics\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085392; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain maryloutaylor.com"; dns.query; content:"maryloutaylor.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])maryloutaylor\.com$/i"; classtype:trojan-activity; sid:4085401; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain maryloutaylor.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"maryloutaylor.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])maryloutaylor\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085402; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain psc.de"; dns.query; content:"psc.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])psc\.de$/i"; classtype:trojan-activity; sid:4085421; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain psc.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"psc.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])psc\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085422; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain vyhino-zhulebino-24.ru"; dns.query; content:"vyhino-zhulebino-24.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])vyhino\-zhulebino\-24\.ru$/i"; classtype:trojan-activity; sid:4085431; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain vyhino-zhulebino-24.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vyhino-zhulebino-24.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vyhino\-zhulebino\-24\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085432; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain cuspdental.com"; dns.query; content:"cuspdental.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])cuspdental\.com$/i"; classtype:trojan-activity; sid:4085441; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain cuspdental.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cuspdental.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cuspdental\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085442; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain crosspointefellowship.church"; dns.query; content:"crosspointefellowship.church"; nocase; pcre: "/(^|[^A-Za-z0-9-])crosspointefellowship\.church$/i"; classtype:trojan-activity; sid:4085451; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain crosspointefellowship.church"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"crosspointefellowship.church"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])crosspointefellowship\.church[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085452; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain zieglerbrothers.de"; dns.query; content:"zieglerbrothers.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])zieglerbrothers\.de$/i"; classtype:trojan-activity; sid:4085461; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain zieglerbrothers.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"zieglerbrothers.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])zieglerbrothers\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085462; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain logopaedie-blomberg.de"; dns.query; content:"logopaedie-blomberg.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])logopaedie\-blomberg\.de$/i"; classtype:trojan-activity; sid:4085471; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain logopaedie-blomberg.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"logopaedie-blomberg.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])logopaedie\-blomberg\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085472; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain xn--logopdie-leverkusen-kwb.de"; dns.query; content:"xn--logopdie-leverkusen-kwb.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])xn\-\-logopdie\-leverkusen\-kwb\.de$/i"; classtype:trojan-activity; sid:4085481; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain xn--logopdie-leverkusen-kwb.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"xn--logopdie-leverkusen-kwb.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])xn\-\-logopdie\-leverkusen\-kwb\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085482; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain stemenstilte.nl"; dns.query; content:"stemenstilte.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])stemenstilte\.nl$/i"; classtype:trojan-activity; sid:4085491; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain stemenstilte.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"stemenstilte.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])stemenstilte\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085492; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain osterberg.fi"; dns.query; content:"osterberg.fi"; nocase; pcre: "/(^|[^A-Za-z0-9-])osterberg\.fi$/i"; classtype:trojan-activity; sid:4085501; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain osterberg.fi"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"osterberg.fi"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])osterberg\.fi[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085502; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain broseller.com"; dns.query; content:"broseller.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])broseller\.com$/i"; classtype:trojan-activity; sid:4085511; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain broseller.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"broseller.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])broseller\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085512; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname rostoncastings.co.uk"; dns.query; content:"rostoncastings.co.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])rostoncastings\.co\.uk$/i"; classtype:trojan-activity; sid:4085521; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname rostoncastings.co.uk"; flow:to_server,established; http.header; content: "Host|3a| rostoncastings.co.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])rostoncastings\.co\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085522; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain artige.com"; dns.query; content:"artige.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])artige\.com$/i"; classtype:trojan-activity; sid:4085531; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain artige.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"artige.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])artige\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085532; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain quizzingbee.com"; dns.query; content:"quizzingbee.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])quizzingbee\.com$/i"; classtype:trojan-activity; sid:4085541; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain quizzingbee.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"quizzingbee.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])quizzingbee\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085542; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mbfagency.com"; dns.query; content:"mbfagency.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mbfagency\.com$/i"; classtype:trojan-activity; sid:4085551; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mbfagency.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mbfagency.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mbfagency\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085552; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain jandaonline.com"; dns.query; content:"jandaonline.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])jandaonline\.com$/i"; classtype:trojan-activity; sid:4085561; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain jandaonline.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jandaonline.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jandaonline\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085562; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain woodworkersolution.com"; dns.query; content:"woodworkersolution.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])woodworkersolution\.com$/i"; classtype:trojan-activity; sid:4085571; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain woodworkersolution.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"woodworkersolution.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])woodworkersolution\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085572; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain nvwoodwerks.com"; dns.query; content:"nvwoodwerks.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])nvwoodwerks\.com$/i"; classtype:trojan-activity; sid:4085581; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain nvwoodwerks.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nvwoodwerks.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nvwoodwerks\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085582; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain evologic-technologies.com"; dns.query; content:"evologic-technologies.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])evologic\-technologies\.com$/i"; classtype:trojan-activity; sid:4085591; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain evologic-technologies.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"evologic-technologies.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])evologic\-technologies\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085592; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain stefanpasch.me"; dns.query; content:"stefanpasch.me"; nocase; pcre: "/(^|[^A-Za-z0-9-])stefanpasch\.me$/i"; classtype:trojan-activity; sid:4085601; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain stefanpasch.me"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"stefanpasch.me"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])stefanpasch\.me[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085602; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname leda-ukraine.com.ua"; dns.query; content:"leda-ukraine.com.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])leda\-ukraine\.com\.ua$/i"; classtype:trojan-activity; sid:4085611; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname leda-ukraine.com.ua"; flow:to_server,established; http.header; content: "Host|3a| leda-ukraine.com.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])leda\-ukraine\.com\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085612; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain layrshift.eu"; dns.query; content:"layrshift.eu"; nocase; pcre: "/(^|[^A-Za-z0-9-])layrshift\.eu$/i"; classtype:trojan-activity; sid:4085621; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain layrshift.eu"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"layrshift.eu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])layrshift\.eu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085622; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mepavex.nl"; dns.query; content:"mepavex.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])mepavex\.nl$/i"; classtype:trojan-activity; sid:4085631; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mepavex.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mepavex.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mepavex\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085632; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain jsfg.com"; dns.query; content:"jsfg.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])jsfg\.com$/i"; classtype:trojan-activity; sid:4085641; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain jsfg.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jsfg.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jsfg\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085642; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain milestoneshows.com"; dns.query; content:"milestoneshows.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])milestoneshows\.com$/i"; classtype:trojan-activity; sid:4085651; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain milestoneshows.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"milestoneshows.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])milestoneshows\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085652; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname ventti.com.ar"; dns.query; content:"ventti.com.ar"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ventti\.com\.ar$/i"; classtype:trojan-activity; sid:4085661; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname ventti.com.ar"; flow:to_server,established; http.header; content: "Host|3a| ventti.com.ar"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ventti\.com\.ar[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085662; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain falcou.fr"; dns.query; content:"falcou.fr"; nocase; pcre: "/(^|[^A-Za-z0-9-])falcou\.fr$/i"; classtype:trojan-activity; sid:4085671; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain falcou.fr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"falcou.fr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])falcou\.fr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085672; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain upplandsspar.se"; dns.query; content:"upplandsspar.se"; nocase; pcre: "/(^|[^A-Za-z0-9-])upplandsspar\.se$/i"; classtype:trojan-activity; sid:4085681; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain upplandsspar.se"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"upplandsspar.se"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])upplandsspar\.se[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085682; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain coastalbridgeadvisors.com"; dns.query; content:"coastalbridgeadvisors.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])coastalbridgeadvisors\.com$/i"; classtype:trojan-activity; sid:4085691; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain coastalbridgeadvisors.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"coastalbridgeadvisors.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])coastalbridgeadvisors\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085692; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain baptisttabernacle.com"; dns.query; content:"baptisttabernacle.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])baptisttabernacle\.com$/i"; classtype:trojan-activity; sid:4085701; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain baptisttabernacle.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"baptisttabernacle.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])baptisttabernacle\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085702; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain triactis.com"; dns.query; content:"triactis.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])triactis\.com$/i"; classtype:trojan-activity; sid:4085711; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain triactis.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"triactis.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])triactis\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085712; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mank.de"; dns.query; content:"mank.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])mank\.de$/i"; classtype:trojan-activity; sid:4085721; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mank.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mank.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mank\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085722; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname twohourswithlena.wordpress.com"; dns.query; content:"twohourswithlena.wordpress.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])twohourswithlena\.wordpress\.com$/i"; classtype:trojan-activity; sid:4085731; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname twohourswithlena.wordpress.com"; flow:to_server,established; http.header; content: "Host|3a| twohourswithlena.wordpress.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])twohourswithlena\.wordpress\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085732; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain bingonearme.org"; dns.query; content:"bingonearme.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])bingonearme\.org$/i"; classtype:trojan-activity; sid:4085741; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain bingonearme.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bingonearme.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bingonearme\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085742; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname darnallwellbeing.org.uk"; dns.query; content:"darnallwellbeing.org.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])darnallwellbeing\.org\.uk$/i"; classtype:trojan-activity; sid:4085751; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname darnallwellbeing.org.uk"; flow:to_server,established; http.header; content: "Host|3a| darnallwellbeing.org.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])darnallwellbeing\.org\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085752; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mrsfieldskc.com"; dns.query; content:"mrsfieldskc.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mrsfieldskc\.com$/i"; classtype:trojan-activity; sid:4085761; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mrsfieldskc.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mrsfieldskc.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mrsfieldskc\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085762; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain datacenters-in-europe.com"; dns.query; content:"datacenters-in-europe.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])datacenters\-in\-europe\.com$/i"; classtype:trojan-activity; sid:4085771; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain datacenters-in-europe.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"datacenters-in-europe.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])datacenters\-in\-europe\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085772; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain first-2-aid-u.com"; dns.query; content:"first-2-aid-u.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])first\-2\-aid\-u\.com$/i"; classtype:trojan-activity; sid:4085781; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain first-2-aid-u.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"first-2-aid-u.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])first\-2\-aid\-u\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085782; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain antenanavi.com"; dns.query; content:"antenanavi.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])antenanavi\.com$/i"; classtype:trojan-activity; sid:4085791; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain antenanavi.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"antenanavi.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])antenanavi\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085792; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ledmes.ru"; dns.query; content:"ledmes.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])ledmes\.ru$/i"; classtype:trojan-activity; sid:4085801; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ledmes.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ledmes.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ledmes\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085802; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain fitnessbazaar.com"; dns.query; content:"fitnessbazaar.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])fitnessbazaar\.com$/i"; classtype:trojan-activity; sid:4085811; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain fitnessbazaar.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fitnessbazaar.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fitnessbazaar\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085812; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain agence-chocolat-noir.com"; dns.query; content:"agence-chocolat-noir.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])agence\-chocolat\-noir\.com$/i"; classtype:trojan-activity; sid:4085821; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain agence-chocolat-noir.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"agence-chocolat-noir.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])agence\-chocolat\-noir\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085822; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain miriamgrimm.de"; dns.query; content:"miriamgrimm.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])miriamgrimm\.de$/i"; classtype:trojan-activity; sid:4085831; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain miriamgrimm.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"miriamgrimm.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])miriamgrimm\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085832; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain stupbratt.no"; dns.query; content:"stupbratt.no"; nocase; pcre: "/(^|[^A-Za-z0-9-])stupbratt\.no$/i"; classtype:trojan-activity; sid:4085841; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain stupbratt.no"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"stupbratt.no"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])stupbratt\.no[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085842; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain extraordinaryoutdoors.com"; dns.query; content:"extraordinaryoutdoors.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])extraordinaryoutdoors\.com$/i"; classtype:trojan-activity; sid:4085851; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain extraordinaryoutdoors.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"extraordinaryoutdoors.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])extraordinaryoutdoors\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085852; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain bildungsunderlebnis.haus"; dns.query; content:"bildungsunderlebnis.haus"; nocase; pcre: "/(^|[^A-Za-z0-9-])bildungsunderlebnis\.haus$/i"; classtype:trojan-activity; sid:4085861; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain bildungsunderlebnis.haus"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bildungsunderlebnis.haus"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bildungsunderlebnis\.haus[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085862; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain lapinlviasennus.fi"; dns.query; content:"lapinlviasennus.fi"; nocase; pcre: "/(^|[^A-Za-z0-9-])lapinlviasennus\.fi$/i"; classtype:trojan-activity; sid:4085871; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain lapinlviasennus.fi"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lapinlviasennus.fi"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lapinlviasennus\.fi[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085872; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain selfoutlet.com"; dns.query; content:"selfoutlet.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])selfoutlet\.com$/i"; classtype:trojan-activity; sid:4085881; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain selfoutlet.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"selfoutlet.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])selfoutlet\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085882; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain cyntox.com"; dns.query; content:"cyntox.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])cyntox\.com$/i"; classtype:trojan-activity; sid:4085891; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain cyntox.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cyntox.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cyntox\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085892; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain jbbjw.com"; dns.query; content:"jbbjw.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])jbbjw\.com$/i"; classtype:trojan-activity; sid:4085901; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain jbbjw.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jbbjw.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jbbjw\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085902; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname web.ion.ag"; dns.query; content:"web.ion.ag"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])web\.ion\.ag$/i"; classtype:trojan-activity; sid:4085911; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname web.ion.ag"; flow:to_server,established; http.header; content: "Host|3a| web.ion.ag"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])web\.ion\.ag[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085912; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain galserwis.pl"; dns.query; content:"galserwis.pl"; nocase; pcre: "/(^|[^A-Za-z0-9-])galserwis\.pl$/i"; classtype:trojan-activity; sid:4085921; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain galserwis.pl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"galserwis.pl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])galserwis\.pl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085922; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname beyondmarcomdotcom.wordpress.com"; dns.query; content:"beyondmarcomdotcom.wordpress.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])beyondmarcomdotcom\.wordpress\.com$/i"; classtype:trojan-activity; sid:4085931; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname beyondmarcomdotcom.wordpress.com"; flow:to_server,established; http.header; content: "Host|3a| beyondmarcomdotcom.wordpress.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])beyondmarcomdotcom\.wordpress\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085932; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain devlaur.com"; dns.query; content:"devlaur.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])devlaur\.com$/i"; classtype:trojan-activity; sid:4085941; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain devlaur.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"devlaur.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])devlaur\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085942; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain destinationclients.fr"; dns.query; content:"destinationclients.fr"; nocase; pcre: "/(^|[^A-Za-z0-9-])destinationclients\.fr$/i"; classtype:trojan-activity; sid:4085951; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain destinationclients.fr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"destinationclients.fr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])destinationclients\.fr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085952; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain jorgobe.at"; dns.query; content:"jorgobe.at"; nocase; pcre: "/(^|[^A-Za-z0-9-])jorgobe\.at$/i"; classtype:trojan-activity; sid:4085961; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain jorgobe.at"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jorgobe.at"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jorgobe\.at[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085962; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain backstreetpub.com"; dns.query; content:"backstreetpub.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])backstreetpub\.com$/i"; classtype:trojan-activity; sid:4085971; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain backstreetpub.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"backstreetpub.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])backstreetpub\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085972; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain modestmanagement.com"; dns.query; content:"modestmanagement.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])modestmanagement\.com$/i"; classtype:trojan-activity; sid:4085981; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain modestmanagement.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"modestmanagement.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])modestmanagement\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085982; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain brigitte-erler.com"; dns.query; content:"brigitte-erler.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])brigitte\-erler\.com$/i"; classtype:trojan-activity; sid:4085991; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain brigitte-erler.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"brigitte-erler.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])brigitte\-erler\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4085992; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain htchorst.nl"; dns.query; content:"htchorst.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])htchorst\.nl$/i"; classtype:trojan-activity; sid:4086001; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain htchorst.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"htchorst.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])htchorst\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086002; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain vihannesporssi.fi"; dns.query; content:"vihannesporssi.fi"; nocase; pcre: "/(^|[^A-Za-z0-9-])vihannesporssi\.fi$/i"; classtype:trojan-activity; sid:4086011; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain vihannesporssi.fi"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vihannesporssi.fi"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vihannesporssi\.fi[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086012; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ilso.net"; dns.query; content:"ilso.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])ilso\.net$/i"; classtype:trojan-activity; sid:4086021; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ilso.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ilso.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ilso\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086022; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain fransespiegels.nl"; dns.query; content:"fransespiegels.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])fransespiegels\.nl$/i"; classtype:trojan-activity; sid:4086031; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain fransespiegels.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fransespiegels.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fransespiegels\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086032; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain imaginado.de"; dns.query; content:"imaginado.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])imaginado\.de$/i"; classtype:trojan-activity; sid:4086041; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain imaginado.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"imaginado.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])imaginado\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086042; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain igfap.com"; dns.query; content:"igfap.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])igfap\.com$/i"; classtype:trojan-activity; sid:4086051; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain igfap.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"igfap.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])igfap\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086052; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain joseconstela.com"; dns.query; content:"joseconstela.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])joseconstela\.com$/i"; classtype:trojan-activity; sid:4086061; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain joseconstela.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"joseconstela.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])joseconstela\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086062; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain oemands.dk"; dns.query; content:"oemands.dk"; nocase; pcre: "/(^|[^A-Za-z0-9-])oemands\.dk$/i"; classtype:trojan-activity; sid:4086071; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain oemands.dk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"oemands.dk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])oemands\.dk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086072; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain sportiomsportfondsen.nl"; dns.query; content:"sportiomsportfondsen.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])sportiomsportfondsen\.nl$/i"; classtype:trojan-activity; sid:4086081; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain sportiomsportfondsen.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sportiomsportfondsen.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sportiomsportfondsen\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086082; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain coffreo.biz"; dns.query; content:"coffreo.biz"; nocase; pcre: "/(^|[^A-Za-z0-9-])coffreo\.biz$/i"; classtype:trojan-activity; sid:4086091; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain coffreo.biz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"coffreo.biz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])coffreo\.biz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086092; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain qualitus.com"; dns.query; content:"qualitus.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])qualitus\.com$/i"; classtype:trojan-activity; sid:4086101; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain qualitus.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"qualitus.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])qualitus\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086102; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain polymedia.dk"; dns.query; content:"polymedia.dk"; nocase; pcre: "/(^|[^A-Za-z0-9-])polymedia\.dk$/i"; classtype:trojan-activity; sid:4086111; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain polymedia.dk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"polymedia.dk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])polymedia\.dk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086112; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain sanaia.com"; dns.query; content:"sanaia.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sanaia\.com$/i"; classtype:trojan-activity; sid:4086121; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain sanaia.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sanaia.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sanaia\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086122; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain thedad.com"; dns.query; content:"thedad.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])thedad\.com$/i"; classtype:trojan-activity; sid:4086131; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain thedad.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"thedad.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])thedad\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086132; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain vanswigchemdesign.com"; dns.query; content:"vanswigchemdesign.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])vanswigchemdesign\.com$/i"; classtype:trojan-activity; sid:4086141; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain vanswigchemdesign.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vanswigchemdesign.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vanswigchemdesign\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086142; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain kindersitze-vergleich.de"; dns.query; content:"kindersitze-vergleich.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])kindersitze\-vergleich\.de$/i"; classtype:trojan-activity; sid:4086151; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain kindersitze-vergleich.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kindersitze-vergleich.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kindersitze\-vergleich\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086152; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain tomoiyuma.com"; dns.query; content:"tomoiyuma.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])tomoiyuma\.com$/i"; classtype:trojan-activity; sid:4086161; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain tomoiyuma.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tomoiyuma.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tomoiyuma\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086162; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain jakekozmor.com"; dns.query; content:"jakekozmor.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])jakekozmor\.com$/i"; classtype:trojan-activity; sid:4086171; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain jakekozmor.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jakekozmor.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jakekozmor\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086172; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain agence-referencement-naturel-geneve.net"; dns.query; content:"agence-referencement-naturel-geneve.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])agence\-referencement\-naturel\-geneve\.net$/i"; classtype:trojan-activity; sid:4086181; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain agence-referencement-naturel-geneve.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"agence-referencement-naturel-geneve.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])agence\-referencement\-naturel\-geneve\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086182; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ki-lowroermond.nl"; dns.query; content:"ki-lowroermond.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])ki\-lowroermond\.nl$/i"; classtype:trojan-activity; sid:4086191; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ki-lowroermond.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ki-lowroermond.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ki\-lowroermond\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086192; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain seminoc.com"; dns.query; content:"seminoc.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])seminoc\.com$/i"; classtype:trojan-activity; sid:4086201; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain seminoc.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"seminoc.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])seminoc\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086202; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain sw1m.ru"; dns.query; content:"sw1m.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])sw1m\.ru$/i"; classtype:trojan-activity; sid:4086211; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain sw1m.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sw1m.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sw1m\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086212; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain monark.com"; dns.query; content:"monark.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])monark\.com$/i"; classtype:trojan-activity; sid:4086221; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain monark.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"monark.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])monark\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086222; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain lightair.com"; dns.query; content:"lightair.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])lightair\.com$/i"; classtype:trojan-activity; sid:4086231; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain lightair.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lightair.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lightair\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086232; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain id-vet.com"; dns.query; content:"id-vet.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])id\-vet\.com$/i"; classtype:trojan-activity; sid:4086241; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain id-vet.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"id-vet.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])id\-vet\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086242; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain gamesboard.info"; dns.query; content:"gamesboard.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])gamesboard\.info$/i"; classtype:trojan-activity; sid:4086251; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain gamesboard.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gamesboard.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gamesboard\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086252; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname ftf.or.at"; dns.query; content:"ftf.or.at"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ftf\.or\.at$/i"; classtype:trojan-activity; sid:4086261; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname ftf.or.at"; flow:to_server,established; http.header; content: "Host|3a| ftf.or.at"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ftf\.or\.at[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086262; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain educar.org"; dns.query; content:"educar.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])educar\.org$/i"; classtype:trojan-activity; sid:4086271; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain educar.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"educar.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])educar\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086272; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain simoneblum.de"; dns.query; content:"simoneblum.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])simoneblum\.de$/i"; classtype:trojan-activity; sid:4086281; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain simoneblum.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"simoneblum.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])simoneblum\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086282; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain yamalevents.com"; dns.query; content:"yamalevents.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])yamalevents\.com$/i"; classtype:trojan-activity; sid:4086291; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain yamalevents.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"yamalevents.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])yamalevents\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086292; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain liveottelut.com"; dns.query; content:"liveottelut.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])liveottelut\.com$/i"; classtype:trojan-activity; sid:4086301; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain liveottelut.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"liveottelut.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])liveottelut\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086302; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain sipstroysochi.ru"; dns.query; content:"sipstroysochi.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])sipstroysochi\.ru$/i"; classtype:trojan-activity; sid:4086311; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain sipstroysochi.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sipstroysochi.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sipstroysochi\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086312; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain greenfieldoptimaldentalcare.com"; dns.query; content:"greenfieldoptimaldentalcare.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])greenfieldoptimaldentalcare\.com$/i"; classtype:trojan-activity; sid:4086321; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain greenfieldoptimaldentalcare.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"greenfieldoptimaldentalcare.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])greenfieldoptimaldentalcare\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086322; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ussmontanacommittee.us"; dns.query; content:"ussmontanacommittee.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])ussmontanacommittee\.us$/i"; classtype:trojan-activity; sid:4086331; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ussmontanacommittee.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ussmontanacommittee.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ussmontanacommittee\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086332; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain people-biz.com"; dns.query; content:"people-biz.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])people\-biz\.com$/i"; classtype:trojan-activity; sid:4086341; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain people-biz.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"people-biz.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])people\-biz\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086342; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain bhwlawfirm.com"; dns.query; content:"bhwlawfirm.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bhwlawfirm\.com$/i"; classtype:trojan-activity; sid:4086351; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain bhwlawfirm.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bhwlawfirm.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bhwlawfirm\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086352; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain 12starhd.online"; dns.query; content:"12starhd.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])12starhd\.online$/i"; classtype:trojan-activity; sid:4086361; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain 12starhd.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"12starhd.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])12starhd\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086362; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain operaslovakia.sk"; dns.query; content:"operaslovakia.sk"; nocase; pcre: "/(^|[^A-Za-z0-9-])operaslovakia\.sk$/i"; classtype:trojan-activity; sid:4086371; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain operaslovakia.sk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"operaslovakia.sk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])operaslovakia\.sk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086372; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain sinal.org"; dns.query; content:"sinal.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])sinal\.org$/i"; classtype:trojan-activity; sid:4086381; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain sinal.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sinal.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sinal\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086382; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain theletter.company"; dns.query; content:"theletter.company"; nocase; pcre: "/(^|[^A-Za-z0-9-])theletter\.company$/i"; classtype:trojan-activity; sid:4086391; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain theletter.company"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"theletter.company"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])theletter\.company[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086392; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain tuuliautio.fi"; dns.query; content:"tuuliautio.fi"; nocase; pcre: "/(^|[^A-Za-z0-9-])tuuliautio\.fi$/i"; classtype:trojan-activity; sid:4086401; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain tuuliautio.fi"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tuuliautio.fi"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tuuliautio\.fi[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086402; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname 1kbk.com.ua"; dns.query; content:"1kbk.com.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])1kbk\.com\.ua$/i"; classtype:trojan-activity; sid:4086411; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname 1kbk.com.ua"; flow:to_server,established; http.header; content: "Host|3a| 1kbk.com.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])1kbk\.com\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086412; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain hardinggroup.com"; dns.query; content:"hardinggroup.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])hardinggroup\.com$/i"; classtype:trojan-activity; sid:4086421; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain hardinggroup.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hardinggroup.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hardinggroup\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086422; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain qlog.de"; dns.query; content:"qlog.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])qlog\.de$/i"; classtype:trojan-activity; sid:4086431; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain qlog.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"qlog.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])qlog\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086432; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain anteniti.com"; dns.query; content:"anteniti.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])anteniti\.com$/i"; classtype:trojan-activity; sid:4086441; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain anteniti.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"anteniti.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])anteniti\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086442; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain pinkexcel.com"; dns.query; content:"pinkexcel.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pinkexcel\.com$/i"; classtype:trojan-activity; sid:4086451; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain pinkexcel.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pinkexcel.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pinkexcel\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086452; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain justinvieira.com"; dns.query; content:"justinvieira.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])justinvieira\.com$/i"; classtype:trojan-activity; sid:4086461; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain justinvieira.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"justinvieira.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])justinvieira\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086462; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain naturstein-hotte.de"; dns.query; content:"naturstein-hotte.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])naturstein\-hotte\.de$/i"; classtype:trojan-activity; sid:4086471; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain naturstein-hotte.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"naturstein-hotte.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])naturstein\-hotte\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086472; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mbxvii.com"; dns.query; content:"mbxvii.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mbxvii\.com$/i"; classtype:trojan-activity; sid:4086481; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mbxvii.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mbxvii.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mbxvii\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086482; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mrxermon.de"; dns.query; content:"mrxermon.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])mrxermon\.de$/i"; classtype:trojan-activity; sid:4086491; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mrxermon.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mrxermon.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mrxermon\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086492; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain sterlingessay.com"; dns.query; content:"sterlingessay.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sterlingessay\.com$/i"; classtype:trojan-activity; sid:4086501; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain sterlingessay.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sterlingessay.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sterlingessay\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086502; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain fayrecreations.com"; dns.query; content:"fayrecreations.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])fayrecreations\.com$/i"; classtype:trojan-activity; sid:4086511; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain fayrecreations.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fayrecreations.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fayrecreations\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086512; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain senson.fi"; dns.query; content:"senson.fi"; nocase; pcre: "/(^|[^A-Za-z0-9-])senson\.fi$/i"; classtype:trojan-activity; sid:4086521; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain senson.fi"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"senson.fi"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])senson\.fi[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086522; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname waveneyrivercentre.co.uk"; dns.query; content:"waveneyrivercentre.co.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])waveneyrivercentre\.co\.uk$/i"; classtype:trojan-activity; sid:4086531; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname waveneyrivercentre.co.uk"; flow:to_server,established; http.header; content: "Host|3a| waveneyrivercentre.co.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])waveneyrivercentre\.co\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086532; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain thomas-hospital.de"; dns.query; content:"thomas-hospital.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])thomas\-hospital\.de$/i"; classtype:trojan-activity; sid:4086551; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain thomas-hospital.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"thomas-hospital.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])thomas\-hospital\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086552; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain denovofoodsgroup.com"; dns.query; content:"denovofoodsgroup.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])denovofoodsgroup\.com$/i"; classtype:trojan-activity; sid:4086561; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain denovofoodsgroup.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"denovofoodsgroup.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])denovofoodsgroup\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086562; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname kisplanning.com.au"; dns.query; content:"kisplanning.com.au"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])kisplanning\.com\.au$/i"; classtype:trojan-activity; sid:4086571; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname kisplanning.com.au"; flow:to_server,established; http.header; content: "Host|3a| kisplanning.com.au"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])kisplanning\.com\.au[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086572; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain grelot-home.com"; dns.query; content:"grelot-home.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])grelot\-home\.com$/i"; classtype:trojan-activity; sid:4086581; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain grelot-home.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"grelot-home.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])grelot\-home\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086582; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain tigsltd.com"; dns.query; content:"tigsltd.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])tigsltd\.com$/i"; classtype:trojan-activity; sid:4086591; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain tigsltd.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tigsltd.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tigsltd\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086592; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain carrybrands.nl"; dns.query; content:"carrybrands.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])carrybrands\.nl$/i"; classtype:trojan-activity; sid:4086601; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain carrybrands.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"carrybrands.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])carrybrands\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086602; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain controldekk.com"; dns.query; content:"controldekk.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])controldekk\.com$/i"; classtype:trojan-activity; sid:4086611; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain controldekk.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"controldekk.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])controldekk\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086612; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain schmalhorst.de"; dns.query; content:"schmalhorst.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])schmalhorst\.de$/i"; classtype:trojan-activity; sid:4086621; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain schmalhorst.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"schmalhorst.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])schmalhorst\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086622; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain verytycs.com"; dns.query; content:"verytycs.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])verytycs\.com$/i"; classtype:trojan-activity; sid:4086631; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain verytycs.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"verytycs.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])verytycs\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086632; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain atalent.fi"; dns.query; content:"atalent.fi"; nocase; pcre: "/(^|[^A-Za-z0-9-])atalent\.fi$/i"; classtype:trojan-activity; sid:4086641; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain atalent.fi"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"atalent.fi"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])atalent\.fi[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086642; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname aglend.com.au"; dns.query; content:"aglend.com.au"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])aglend\.com\.au$/i"; classtype:trojan-activity; sid:4086651; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname aglend.com.au"; flow:to_server,established; http.header; content: "Host|3a| aglend.com.au"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])aglend\.com\.au[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086652; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mediaacademy-iraq.org"; dns.query; content:"mediaacademy-iraq.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])mediaacademy\-iraq\.org$/i"; classtype:trojan-activity; sid:4086661; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mediaacademy-iraq.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mediaacademy-iraq.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mediaacademy\-iraq\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086662; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain gporf.fr"; dns.query; content:"gporf.fr"; nocase; pcre: "/(^|[^A-Za-z0-9-])gporf\.fr$/i"; classtype:trojan-activity; sid:4086671; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain gporf.fr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gporf.fr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gporf\.fr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086672; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain gymnasedumanagement.com"; dns.query; content:"gymnasedumanagement.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])gymnasedumanagement\.com$/i"; classtype:trojan-activity; sid:4086681; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain gymnasedumanagement.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gymnasedumanagement.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gymnasedumanagement\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086682; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain waynela.com"; dns.query; content:"waynela.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])waynela\.com$/i"; classtype:trojan-activity; sid:4086691; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain waynela.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"waynela.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])waynela\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086692; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain caffeinternet.it"; dns.query; content:"caffeinternet.it"; nocase; pcre: "/(^|[^A-Za-z0-9-])caffeinternet\.it$/i"; classtype:trojan-activity; sid:4086701; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain caffeinternet.it"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"caffeinternet.it"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])caffeinternet\.it[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086702; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname www1.proresult.no"; dns.query; content:"www1.proresult.no"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www1\.proresult\.no$/i"; classtype:trojan-activity; sid:4086711; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname www1.proresult.no"; flow:to_server,established; http.header; content: "Host|3a| www1.proresult.no"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www1\.proresult\.no[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086712; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain arteservicefabbro.com"; dns.query; content:"arteservicefabbro.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])arteservicefabbro\.com$/i"; classtype:trojan-activity; sid:4086721; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain arteservicefabbro.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"arteservicefabbro.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])arteservicefabbro\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086722; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain kenhnoithatgo.com"; dns.query; content:"kenhnoithatgo.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])kenhnoithatgo\.com$/i"; classtype:trojan-activity; sid:4086731; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain kenhnoithatgo.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kenhnoithatgo.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kenhnoithatgo\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086732; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain oneheartwarriors.at"; dns.query; content:"oneheartwarriors.at"; nocase; pcre: "/(^|[^A-Za-z0-9-])oneheartwarriors\.at$/i"; classtype:trojan-activity; sid:4086741; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain oneheartwarriors.at"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"oneheartwarriors.at"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])oneheartwarriors\.at[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086742; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain apprendrelaudit.com"; dns.query; content:"apprendrelaudit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])apprendrelaudit\.com$/i"; classtype:trojan-activity; sid:4086751; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain apprendrelaudit.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"apprendrelaudit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])apprendrelaudit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086752; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain live-your-life.jp"; dns.query; content:"live-your-life.jp"; nocase; pcre: "/(^|[^A-Za-z0-9-])live\-your\-life\.jp$/i"; classtype:trojan-activity; sid:4086761; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain live-your-life.jp"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"live-your-life.jp"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])live\-your\-life\.jp[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086762; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain pcprofessor.com"; dns.query; content:"pcprofessor.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pcprofessor\.com$/i"; classtype:trojan-activity; sid:4086771; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain pcprofessor.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pcprofessor.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pcprofessor\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086772; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain simplyblessedbykeepingitreal.com"; dns.query; content:"simplyblessedbykeepingitreal.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])simplyblessedbykeepingitreal\.com$/i"; classtype:trojan-activity; sid:4086781; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain simplyblessedbykeepingitreal.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"simplyblessedbykeepingitreal.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])simplyblessedbykeepingitreal\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086782; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain facettenreich27.de"; dns.query; content:"facettenreich27.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])facettenreich27\.de$/i"; classtype:trojan-activity; sid:4086791; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain facettenreich27.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"facettenreich27.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])facettenreich27\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086792; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain zzyjtsgls.com"; dns.query; content:"zzyjtsgls.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])zzyjtsgls\.com$/i"; classtype:trojan-activity; sid:4086801; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain zzyjtsgls.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"zzyjtsgls.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])zzyjtsgls\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086802; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain harveybp.com"; dns.query; content:"harveybp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])harveybp\.com$/i"; classtype:trojan-activity; sid:4086811; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain harveybp.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"harveybp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])harveybp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086812; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ai-spt.jp"; dns.query; content:"ai-spt.jp"; nocase; pcre: "/(^|[^A-Za-z0-9-])ai\-spt\.jp$/i"; classtype:trojan-activity; sid:4086821; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ai-spt.jp"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ai-spt.jp"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ai\-spt\.jp[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086822; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain pixelarttees.com"; dns.query; content:"pixelarttees.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pixelarttees\.com$/i"; classtype:trojan-activity; sid:4086831; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain pixelarttees.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pixelarttees.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pixelarttees\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086832; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain lascuola.nl"; dns.query; content:"lascuola.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])lascuola\.nl$/i"; classtype:trojan-activity; sid:4086841; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain lascuola.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lascuola.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lascuola\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086842; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain klimt2012.info"; dns.query; content:"klimt2012.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])klimt2012\.info$/i"; classtype:trojan-activity; sid:4086851; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain klimt2012.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"klimt2012.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])klimt2012\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086852; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain joyeriaorindia.com"; dns.query; content:"joyeriaorindia.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])joyeriaorindia\.com$/i"; classtype:trojan-activity; sid:4086861; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain joyeriaorindia.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"joyeriaorindia.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])joyeriaorindia\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086862; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain stoneys.ch"; dns.query; content:"stoneys.ch"; nocase; pcre: "/(^|[^A-Za-z0-9-])stoneys\.ch$/i"; classtype:trojan-activity; sid:4086881; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain stoneys.ch"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"stoneys.ch"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])stoneys\.ch[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086882; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain sachnendoc.com"; dns.query; content:"sachnendoc.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sachnendoc\.com$/i"; classtype:trojan-activity; sid:4086891; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain sachnendoc.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sachnendoc.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sachnendoc\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086892; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain paradicepacks.com"; dns.query; content:"paradicepacks.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])paradicepacks\.com$/i"; classtype:trojan-activity; sid:4086901; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain paradicepacks.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"paradicepacks.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])paradicepacks\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086902; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain cnoia.org"; dns.query; content:"cnoia.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])cnoia\.org$/i"; classtype:trojan-activity; sid:4086911; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain cnoia.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cnoia.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cnoia\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086912; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain edrcreditservices.nl"; dns.query; content:"edrcreditservices.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])edrcreditservices\.nl$/i"; classtype:trojan-activity; sid:4086921; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain edrcreditservices.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"edrcreditservices.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])edrcreditservices\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086922; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname cimanchesterescorts.co.uk"; dns.query; content:"cimanchesterescorts.co.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cimanchesterescorts\.co\.uk$/i"; classtype:trojan-activity; sid:4086931; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname cimanchesterescorts.co.uk"; flow:to_server,established; http.header; content: "Host|3a| cimanchesterescorts.co.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cimanchesterescorts\.co\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086932; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain filmvideoweb.com"; dns.query; content:"filmvideoweb.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])filmvideoweb\.com$/i"; classtype:trojan-activity; sid:4086941; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain filmvideoweb.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"filmvideoweb.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])filmvideoweb\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086942; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain thedresserie.com"; dns.query; content:"thedresserie.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])thedresserie\.com$/i"; classtype:trojan-activity; sid:4086951; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain thedresserie.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"thedresserie.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])thedresserie\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086952; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain revezlimage.com"; dns.query; content:"revezlimage.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])revezlimage\.com$/i"; classtype:trojan-activity; sid:4086961; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain revezlimage.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"revezlimage.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])revezlimage\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086962; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain vietlawconsultancy.com"; dns.query; content:"vietlawconsultancy.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])vietlawconsultancy\.com$/i"; classtype:trojan-activity; sid:4086971; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain vietlawconsultancy.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vietlawconsultancy.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vietlawconsultancy\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086972; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain eaglemeetstiger.de"; dns.query; content:"eaglemeetstiger.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])eaglemeetstiger\.de$/i"; classtype:trojan-activity; sid:4086981; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain eaglemeetstiger.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"eaglemeetstiger.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])eaglemeetstiger\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086982; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain brawnmediany.com"; dns.query; content:"brawnmediany.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])brawnmediany\.com$/i"; classtype:trojan-activity; sid:4086991; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain brawnmediany.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"brawnmediany.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])brawnmediany\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4086992; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain global-kids.info"; dns.query; content:"global-kids.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])global\-kids\.info$/i"; classtype:trojan-activity; sid:4087001; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain global-kids.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"global-kids.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])global\-kids\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087002; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain pt-arnold.de"; dns.query; content:"pt-arnold.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])pt\-arnold\.de$/i"; classtype:trojan-activity; sid:4087011; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain pt-arnold.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pt-arnold.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pt\-arnold\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087012; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain julis-lsa.de"; dns.query; content:"julis-lsa.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])julis\-lsa\.de$/i"; classtype:trojan-activity; sid:4087021; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain julis-lsa.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"julis-lsa.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])julis\-lsa\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087022; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain alhashem.net"; dns.query; content:"alhashem.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])alhashem\.net$/i"; classtype:trojan-activity; sid:4087031; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain alhashem.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"alhashem.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])alhashem\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087032; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mirkoreisser.de"; dns.query; content:"mirkoreisser.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])mirkoreisser\.de$/i"; classtype:trojan-activity; sid:4087041; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mirkoreisser.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mirkoreisser.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mirkoreisser\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087042; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname bayoga.co.uk"; dns.query; content:"bayoga.co.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bayoga\.co\.uk$/i"; classtype:trojan-activity; sid:4087051; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname bayoga.co.uk"; flow:to_server,established; http.header; content: "Host|3a| bayoga.co.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bayoga\.co\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087052; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain levihotelspa.fi"; dns.query; content:"levihotelspa.fi"; nocase; pcre: "/(^|[^A-Za-z0-9-])levihotelspa\.fi$/i"; classtype:trojan-activity; sid:4087061; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain levihotelspa.fi"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"levihotelspa.fi"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])levihotelspa\.fi[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087062; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain hairstylesnow.site"; dns.query; content:"hairstylesnow.site"; nocase; pcre: "/(^|[^A-Za-z0-9-])hairstylesnow\.site$/i"; classtype:trojan-activity; sid:4087071; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain hairstylesnow.site"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hairstylesnow.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hairstylesnow\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087072; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname argenblogs.com.ar"; dns.query; content:"argenblogs.com.ar"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])argenblogs\.com\.ar$/i"; classtype:trojan-activity; sid:4087081; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname argenblogs.com.ar"; flow:to_server,established; http.header; content: "Host|3a| argenblogs.com.ar"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])argenblogs\.com\.ar[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087082; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain jobmap.at"; dns.query; content:"jobmap.at"; nocase; pcre: "/(^|[^A-Za-z0-9-])jobmap\.at$/i"; classtype:trojan-activity; sid:4087091; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain jobmap.at"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jobmap.at"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jobmap\.at[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087092; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain jasonbaileystudio.com"; dns.query; content:"jasonbaileystudio.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])jasonbaileystudio\.com$/i"; classtype:trojan-activity; sid:4087101; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain jasonbaileystudio.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jasonbaileystudio.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jasonbaileystudio\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087102; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain wolf-glas-und-kunst.de"; dns.query; content:"wolf-glas-und-kunst.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])wolf\-glas\-und\-kunst\.de$/i"; classtype:trojan-activity; sid:4087111; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain wolf-glas-und-kunst.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wolf-glas-und-kunst.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wolf\-glas\-und\-kunst\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087112; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain pmc-services.de"; dns.query; content:"pmc-services.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])pmc\-services\.de$/i"; classtype:trojan-activity; sid:4087121; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain pmc-services.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pmc-services.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pmc\-services\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087122; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain noesis.tech"; dns.query; content:"noesis.tech"; nocase; pcre: "/(^|[^A-Za-z0-9-])noesis\.tech$/i"; classtype:trojan-activity; sid:4087131; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain noesis.tech"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"noesis.tech"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])noesis\.tech[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087132; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain blewback.com"; dns.query; content:"blewback.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])blewback\.com$/i"; classtype:trojan-activity; sid:4087141; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain blewback.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"blewback.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])blewback\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087142; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain naswrrg.org"; dns.query; content:"naswrrg.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])naswrrg\.org$/i"; classtype:trojan-activity; sid:4087151; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain naswrrg.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"naswrrg.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])naswrrg\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087152; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain nakupunafoundation.org"; dns.query; content:"nakupunafoundation.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])nakupunafoundation\.org$/i"; classtype:trojan-activity; sid:4087161; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain nakupunafoundation.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nakupunafoundation.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nakupunafoundation\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087162; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain trapiantofue.it"; dns.query; content:"trapiantofue.it"; nocase; pcre: "/(^|[^A-Za-z0-9-])trapiantofue\.it$/i"; classtype:trojan-activity; sid:4087171; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain trapiantofue.it"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"trapiantofue.it"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])trapiantofue\.it[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087172; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain instatron.net"; dns.query; content:"instatron.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])instatron\.net$/i"; classtype:trojan-activity; sid:4087181; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain instatron.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"instatron.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])instatron\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087182; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain simulatebrain.com"; dns.query; content:"simulatebrain.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])simulatebrain\.com$/i"; classtype:trojan-activity; sid:4087191; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain simulatebrain.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"simulatebrain.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])simulatebrain\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087192; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain coursio.com"; dns.query; content:"coursio.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])coursio\.com$/i"; classtype:trojan-activity; sid:4087201; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain coursio.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"coursio.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])coursio\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087202; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain igorbarbosa.com"; dns.query; content:"igorbarbosa.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])igorbarbosa\.com$/i"; classtype:trojan-activity; sid:4087211; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain igorbarbosa.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"igorbarbosa.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])igorbarbosa\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087212; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain hypozentrum.com"; dns.query; content:"hypozentrum.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])hypozentrum\.com$/i"; classtype:trojan-activity; sid:4087221; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain hypozentrum.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hypozentrum.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hypozentrum\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087222; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname neuschelectrical.co.za"; dns.query; content:"neuschelectrical.co.za"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])neuschelectrical\.co\.za$/i"; classtype:trojan-activity; sid:4087231; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname neuschelectrical.co.za"; flow:to_server,established; http.header; content: "Host|3a| neuschelectrical.co.za"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])neuschelectrical\.co\.za[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087232; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain nurturingwisdom.com"; dns.query; content:"nurturingwisdom.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])nurturingwisdom\.com$/i"; classtype:trojan-activity; sid:4087241; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain nurturingwisdom.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nurturingwisdom.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nurturingwisdom\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087242; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain seevilla-dr-sturm.at"; dns.query; content:"seevilla-dr-sturm.at"; nocase; pcre: "/(^|[^A-Za-z0-9-])seevilla\-dr\-sturm\.at$/i"; classtype:trojan-activity; sid:4087251; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain seevilla-dr-sturm.at"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"seevilla-dr-sturm.at"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])seevilla\-dr\-sturm\.at[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087252; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain fotoideaymedia.es"; dns.query; content:"fotoideaymedia.es"; nocase; pcre: "/(^|[^A-Za-z0-9-])fotoideaymedia\.es$/i"; classtype:trojan-activity; sid:4087261; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain fotoideaymedia.es"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fotoideaymedia.es"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fotoideaymedia\.es[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087262; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain tonelektro.nl"; dns.query; content:"tonelektro.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])tonelektro\.nl$/i"; classtype:trojan-activity; sid:4087271; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain tonelektro.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tonelektro.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tonelektro\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087272; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain sarbatkhalsafoundation.org"; dns.query; content:"sarbatkhalsafoundation.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])sarbatkhalsafoundation\.org$/i"; classtype:trojan-activity; sid:4087281; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain sarbatkhalsafoundation.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sarbatkhalsafoundation.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sarbatkhalsafoundation\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087282; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain sportverein-tambach.de"; dns.query; content:"sportverein-tambach.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])sportverein\-tambach\.de$/i"; classtype:trojan-activity; sid:4087291; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain sportverein-tambach.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sportverein-tambach.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sportverein\-tambach\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087292; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain jyzdesign.com"; dns.query; content:"jyzdesign.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])jyzdesign\.com$/i"; classtype:trojan-activity; sid:4087301; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain jyzdesign.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jyzdesign.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jyzdesign\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087302; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain jeanlouissibomana.com"; dns.query; content:"jeanlouissibomana.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])jeanlouissibomana\.com$/i"; classtype:trojan-activity; sid:4087311; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain jeanlouissibomana.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jeanlouissibomana.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jeanlouissibomana\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087312; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain anthonystreetrimming.com"; dns.query; content:"anthonystreetrimming.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])anthonystreetrimming\.com$/i"; classtype:trojan-activity; sid:4087321; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain anthonystreetrimming.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"anthonystreetrimming.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])anthonystreetrimming\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087322; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain slwgs.org"; dns.query; content:"slwgs.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])slwgs\.org$/i"; classtype:trojan-activity; sid:4087331; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain slwgs.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"slwgs.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])slwgs\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087332; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname bristolaeroclub.co.uk"; dns.query; content:"bristolaeroclub.co.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bristolaeroclub\.co\.uk$/i"; classtype:trojan-activity; sid:4087341; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname bristolaeroclub.co.uk"; flow:to_server,established; http.header; content: "Host|3a| bristolaeroclub.co.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bristolaeroclub\.co\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087342; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ivfminiua.com"; dns.query; content:"ivfminiua.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ivfminiua\.com$/i"; classtype:trojan-activity; sid:4087351; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ivfminiua.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ivfminiua.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ivfminiua\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087352; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain xn--fnsterputssollentuna-39b.se"; dns.query; content:"xn--fnsterputssollentuna-39b.se"; nocase; pcre: "/(^|[^A-Za-z0-9-])xn\-\-fnsterputssollentuna\-39b\.se$/i"; classtype:trojan-activity; sid:4087361; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain xn--fnsterputssollentuna-39b.se"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"xn--fnsterputssollentuna-39b.se"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])xn\-\-fnsterputssollentuna\-39b\.se[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087362; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain candyhouseusa.com"; dns.query; content:"candyhouseusa.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])candyhouseusa\.com$/i"; classtype:trojan-activity; sid:4087371; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain candyhouseusa.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"candyhouseusa.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])candyhouseusa\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087372; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain xn--thucmctc-13a1357egba.com"; dns.query; content:"xn--thucmctc-13a1357egba.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])xn\-\-thucmctc\-13a1357egba\.com$/i"; classtype:trojan-activity; sid:4087381; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain xn--thucmctc-13a1357egba.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"xn--thucmctc-13a1357egba.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])xn\-\-thucmctc\-13a1357egba\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087382; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain onlyresultsmarketing.com"; dns.query; content:"onlyresultsmarketing.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])onlyresultsmarketing\.com$/i"; classtype:trojan-activity; sid:4087391; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain onlyresultsmarketing.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"onlyresultsmarketing.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])onlyresultsmarketing\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087392; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain nataschawessels.com"; dns.query; content:"nataschawessels.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])nataschawessels\.com$/i"; classtype:trojan-activity; sid:4087401; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain nataschawessels.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nataschawessels.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nataschawessels\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087402; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain abogados-en-alicante.es"; dns.query; content:"abogados-en-alicante.es"; nocase; pcre: "/(^|[^A-Za-z0-9-])abogados\-en\-alicante\.es$/i"; classtype:trojan-activity; sid:4087411; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain abogados-en-alicante.es"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"abogados-en-alicante.es"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])abogados\-en\-alicante\.es[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087412; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain hatech.io"; dns.query; content:"hatech.io"; nocase; pcre: "/(^|[^A-Za-z0-9-])hatech\.io$/i"; classtype:trojan-activity; sid:4087421; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain hatech.io"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hatech.io"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hatech\.io[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087422; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain pocket-opera.de"; dns.query; content:"pocket-opera.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])pocket\-opera\.de$/i"; classtype:trojan-activity; sid:4087431; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain pocket-opera.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pocket-opera.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pocket\-opera\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087432; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain narcert.com"; dns.query; content:"narcert.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])narcert\.com$/i"; classtype:trojan-activity; sid:4087441; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain narcert.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"narcert.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])narcert\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087442; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain abogadosadomicilio.es"; dns.query; content:"abogadosadomicilio.es"; nocase; pcre: "/(^|[^A-Za-z0-9-])abogadosadomicilio\.es$/i"; classtype:trojan-activity; sid:4087451; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain abogadosadomicilio.es"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"abogadosadomicilio.es"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])abogadosadomicilio\.es[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087452; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain craftleathermnl.com"; dns.query; content:"craftleathermnl.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])craftleathermnl\.com$/i"; classtype:trojan-activity; sid:4087461; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain craftleathermnl.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"craftleathermnl.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])craftleathermnl\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087462; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain resortmtn.com"; dns.query; content:"resortmtn.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])resortmtn\.com$/i"; classtype:trojan-activity; sid:4087471; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain resortmtn.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"resortmtn.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])resortmtn\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087472; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mezhdu-delom.ru"; dns.query; content:"mezhdu-delom.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])mezhdu\-delom\.ru$/i"; classtype:trojan-activity; sid:4087481; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mezhdu-delom.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mezhdu-delom.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mezhdu\-delom\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087482; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain danskretursystem.dk"; dns.query; content:"danskretursystem.dk"; nocase; pcre: "/(^|[^A-Za-z0-9-])danskretursystem\.dk$/i"; classtype:trojan-activity; sid:4087491; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain danskretursystem.dk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"danskretursystem.dk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])danskretursystem\.dk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087492; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain kojima-shihou.com"; dns.query; content:"kojima-shihou.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])kojima\-shihou\.com$/i"; classtype:trojan-activity; sid:4087501; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain kojima-shihou.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kojima-shihou.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kojima\-shihou\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087502; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain intecwi.com"; dns.query; content:"intecwi.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])intecwi\.com$/i"; classtype:trojan-activity; sid:4087511; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain intecwi.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"intecwi.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])intecwi\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087512; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain smale-opticiens.nl"; dns.query; content:"smale-opticiens.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])smale\-opticiens\.nl$/i"; classtype:trojan-activity; sid:4087521; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain smale-opticiens.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"smale-opticiens.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])smale\-opticiens\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087522; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain urclan.net"; dns.query; content:"urclan.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])urclan\.net$/i"; classtype:trojan-activity; sid:4087531; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain urclan.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"urclan.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])urclan\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087532; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain sofavietxinh.com"; dns.query; content:"sofavietxinh.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sofavietxinh\.com$/i"; classtype:trojan-activity; sid:4087541; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain sofavietxinh.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sofavietxinh.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sofavietxinh\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087542; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname meusharklinithome.wordpress.com"; dns.query; content:"meusharklinithome.wordpress.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])meusharklinithome\.wordpress\.com$/i"; classtype:trojan-activity; sid:4087551; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname meusharklinithome.wordpress.com"; flow:to_server,established; http.header; content: "Host|3a| meusharklinithome.wordpress.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])meusharklinithome\.wordpress\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087552; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain truenyc.co"; dns.query; content:"truenyc.co"; nocase; pcre: "/(^|[^A-Za-z0-9-])truenyc\.co$/i"; classtype:trojan-activity; sid:4087561; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain truenyc.co"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"truenyc.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])truenyc\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087562; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain praxis-management-plus.de"; dns.query; content:"praxis-management-plus.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])praxis\-management\-plus\.de$/i"; classtype:trojan-activity; sid:4087571; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain praxis-management-plus.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"praxis-management-plus.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])praxis\-management\-plus\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087572; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain chefdays.de"; dns.query; content:"chefdays.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])chefdays\.de$/i"; classtype:trojan-activity; sid:4087581; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain chefdays.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"chefdays.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])chefdays\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087582; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain renergysolution.com"; dns.query; content:"renergysolution.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])renergysolution\.com$/i"; classtype:trojan-activity; sid:4087591; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain renergysolution.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"renergysolution.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])renergysolution\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087592; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname copystar.co.uk"; dns.query; content:"copystar.co.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])copystar\.co\.uk$/i"; classtype:trojan-activity; sid:4087601; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname copystar.co.uk"; flow:to_server,established; http.header; content: "Host|3a| copystar.co.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])copystar\.co\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087602; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain bordercollie-nim.nl"; dns.query; content:"bordercollie-nim.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])bordercollie\-nim\.nl$/i"; classtype:trojan-activity; sid:4087611; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain bordercollie-nim.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bordercollie-nim.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bordercollie\-nim\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087612; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain campus2day.de"; dns.query; content:"campus2day.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])campus2day\.de$/i"; classtype:trojan-activity; sid:4087621; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain campus2day.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"campus2day.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])campus2day\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087622; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain jusibe.com"; dns.query; content:"jusibe.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])jusibe\.com$/i"; classtype:trojan-activity; sid:4087631; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain jusibe.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jusibe.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jusibe\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087632; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain bxdf.info"; dns.query; content:"bxdf.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])bxdf\.info$/i"; classtype:trojan-activity; sid:4087641; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain bxdf.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bxdf.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bxdf\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087642; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname bowengroup.com.au"; dns.query; content:"bowengroup.com.au"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bowengroup\.com\.au$/i"; classtype:trojan-activity; sid:4087651; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname bowengroup.com.au"; flow:to_server,established; http.header; content: "Host|3a| bowengroup.com.au"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bowengroup\.com\.au[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087652; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain conexa4papers.trade"; dns.query; content:"conexa4papers.trade"; nocase; pcre: "/(^|[^A-Za-z0-9-])conexa4papers\.trade$/i"; classtype:trojan-activity; sid:4087661; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain conexa4papers.trade"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"conexa4papers.trade"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])conexa4papers\.trade[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087662; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain abl1.net"; dns.query; content:"abl1.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])abl1\.net$/i"; classtype:trojan-activity; sid:4087671; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain abl1.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"abl1.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])abl1\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087672; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain austinlchurch.com"; dns.query; content:"austinlchurch.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])austinlchurch\.com$/i"; classtype:trojan-activity; sid:4087681; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain austinlchurch.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"austinlchurch.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])austinlchurch\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087682; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain bigler-hrconsulting.ch"; dns.query; content:"bigler-hrconsulting.ch"; nocase; pcre: "/(^|[^A-Za-z0-9-])bigler\-hrconsulting\.ch$/i"; classtype:trojan-activity; sid:4087691; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain bigler-hrconsulting.ch"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bigler-hrconsulting.ch"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bigler\-hrconsulting\.ch[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087692; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain veybachcenter.de"; dns.query; content:"veybachcenter.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])veybachcenter\.de$/i"; classtype:trojan-activity; sid:4087701; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain veybachcenter.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"veybachcenter.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])veybachcenter\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087702; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain 35-40konkatsu.net"; dns.query; content:"35-40konkatsu.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])35\-40konkatsu\.net$/i"; classtype:trojan-activity; sid:4087711; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain 35-40konkatsu.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"35-40konkatsu.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])35\-40konkatsu\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087712; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain verbisonline.com"; dns.query; content:"verbisonline.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])verbisonline\.com$/i"; classtype:trojan-activity; sid:4087721; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain verbisonline.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"verbisonline.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])verbisonline\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087722; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname ceid.info.tr"; dns.query; content:"ceid.info.tr"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ceid\.info\.tr$/i"; classtype:trojan-activity; sid:4087731; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname ceid.info.tr"; flow:to_server,established; http.header; content: "Host|3a| ceid.info.tr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ceid\.info\.tr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087732; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain oceanastudios.com"; dns.query; content:"oceanastudios.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])oceanastudios\.com$/i"; classtype:trojan-activity; sid:4087741; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain oceanastudios.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"oceanastudios.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])oceanastudios\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087742; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain limassoldriving.com"; dns.query; content:"limassoldriving.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])limassoldriving\.com$/i"; classtype:trojan-activity; sid:4087751; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain limassoldriving.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"limassoldriving.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])limassoldriving\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087752; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain importardechina.info"; dns.query; content:"importardechina.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])importardechina\.info$/i"; classtype:trojan-activity; sid:4087761; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain importardechina.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"importardechina.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])importardechina\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087762; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain birnam-wood.com"; dns.query; content:"birnam-wood.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])birnam\-wood\.com$/i"; classtype:trojan-activity; sid:4087771; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain birnam-wood.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"birnam-wood.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])birnam\-wood\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087772; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain corendonhotels.com"; dns.query; content:"corendonhotels.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])corendonhotels\.com$/i"; classtype:trojan-activity; sid:4087781; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain corendonhotels.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"corendonhotels.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])corendonhotels\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087782; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain psa-sec.de"; dns.query; content:"psa-sec.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])psa\-sec\.de$/i"; classtype:trojan-activity; sid:4087791; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain psa-sec.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"psa-sec.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])psa\-sec\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087792; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain smogathon.com"; dns.query; content:"smogathon.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])smogathon\.com$/i"; classtype:trojan-activity; sid:4087801; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain smogathon.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"smogathon.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])smogathon\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087802; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain pointos.com"; dns.query; content:"pointos.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pointos\.com$/i"; classtype:trojan-activity; sid:4087811; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain pointos.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pointos.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pointos\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087812; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain scenepublique.net"; dns.query; content:"scenepublique.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])scenepublique\.net$/i"; classtype:trojan-activity; sid:4087821; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain scenepublique.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"scenepublique.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])scenepublique\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087822; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain liliesandbeauties.org"; dns.query; content:"liliesandbeauties.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])liliesandbeauties\.org$/i"; classtype:trojan-activity; sid:4087831; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain liliesandbeauties.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"liliesandbeauties.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])liliesandbeauties\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087832; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ccpbroadband.com"; dns.query; content:"ccpbroadband.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ccpbroadband\.com$/i"; classtype:trojan-activity; sid:4087841; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ccpbroadband.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ccpbroadband.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ccpbroadband\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087842; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain perbudget.com"; dns.query; content:"perbudget.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])perbudget\.com$/i"; classtype:trojan-activity; sid:4087851; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain perbudget.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"perbudget.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])perbudget\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087852; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain 4net.guru"; dns.query; content:"4net.guru"; nocase; pcre: "/(^|[^A-Za-z0-9-])4net\.guru$/i"; classtype:trojan-activity; sid:4087861; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain 4net.guru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"4net.guru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])4net\.guru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087862; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain beaconhealthsystem.org"; dns.query; content:"beaconhealthsystem.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])beaconhealthsystem\.org$/i"; classtype:trojan-activity; sid:4087871; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain beaconhealthsystem.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"beaconhealthsystem.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])beaconhealthsystem\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087872; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain turkcaparbariatrics.com"; dns.query; content:"turkcaparbariatrics.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])turkcaparbariatrics\.com$/i"; classtype:trojan-activity; sid:4087881; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain turkcaparbariatrics.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"turkcaparbariatrics.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])turkcaparbariatrics\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087882; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain i-trust.dk"; dns.query; content:"i-trust.dk"; nocase; pcre: "/(^|[^A-Za-z0-9-])i\-trust\.dk$/i"; classtype:trojan-activity; sid:4087891; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain i-trust.dk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"i-trust.dk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])i\-trust\.dk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087892; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain insigniapmg.com"; dns.query; content:"insigniapmg.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])insigniapmg\.com$/i"; classtype:trojan-activity; sid:4087901; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain insigniapmg.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"insigniapmg.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])insigniapmg\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087902; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain tennisclubetten.nl"; dns.query; content:"tennisclubetten.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])tennisclubetten\.nl$/i"; classtype:trojan-activity; sid:4087911; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain tennisclubetten.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tennisclubetten.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tennisclubetten\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087912; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain thee.network"; dns.query; content:"thee.network"; nocase; pcre: "/(^|[^A-Za-z0-9-])thee\.network$/i"; classtype:trojan-activity; sid:4087921; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain thee.network"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"thee.network"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])thee\.network[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087922; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain despedidascostablanca.es"; dns.query; content:"despedidascostablanca.es"; nocase; pcre: "/(^|[^A-Za-z0-9-])despedidascostablanca\.es$/i"; classtype:trojan-activity; sid:4087931; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain despedidascostablanca.es"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"despedidascostablanca.es"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])despedidascostablanca\.es[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087932; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain portoesdofarrobo.com"; dns.query; content:"portoesdofarrobo.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])portoesdofarrobo\.com$/i"; classtype:trojan-activity; sid:4087941; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain portoesdofarrobo.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"portoesdofarrobo.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])portoesdofarrobo\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087942; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain chavesdoareeiro.com"; dns.query; content:"chavesdoareeiro.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])chavesdoareeiro\.com$/i"; classtype:trojan-activity; sid:4087951; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain chavesdoareeiro.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"chavesdoareeiro.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])chavesdoareeiro\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087952; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain boisehosting.net"; dns.query; content:"boisehosting.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])boisehosting\.net$/i"; classtype:trojan-activity; sid:4087961; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain boisehosting.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"boisehosting.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])boisehosting\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087962; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain deoudedorpskernnoordwijk.nl"; dns.query; content:"deoudedorpskernnoordwijk.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])deoudedorpskernnoordwijk\.nl$/i"; classtype:trojan-activity; sid:4087971; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain deoudedorpskernnoordwijk.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"deoudedorpskernnoordwijk.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])deoudedorpskernnoordwijk\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087972; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain gaiam.nl"; dns.query; content:"gaiam.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])gaiam\.nl$/i"; classtype:trojan-activity; sid:4087981; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain gaiam.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gaiam.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gaiam\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087982; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain madinblack.com"; dns.query; content:"madinblack.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])madinblack\.com$/i"; classtype:trojan-activity; sid:4087991; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain madinblack.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"madinblack.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])madinblack\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4087992; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain saxtec.com"; dns.query; content:"saxtec.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])saxtec\.com$/i"; classtype:trojan-activity; sid:4088001; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain saxtec.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"saxtec.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])saxtec\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088002; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain gadgetedges.com"; dns.query; content:"gadgetedges.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])gadgetedges\.com$/i"; classtype:trojan-activity; sid:4088011; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain gadgetedges.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gadgetedges.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gadgetedges\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088012; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain humanityplus.org"; dns.query; content:"humanityplus.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])humanityplus\.org$/i"; classtype:trojan-activity; sid:4088021; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain humanityplus.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"humanityplus.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])humanityplus\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088022; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain macabaneaupaysflechois.com"; dns.query; content:"macabaneaupaysflechois.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])macabaneaupaysflechois\.com$/i"; classtype:trojan-activity; sid:4088031; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain macabaneaupaysflechois.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"macabaneaupaysflechois.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])macabaneaupaysflechois\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088032; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain dirittosanitario.biz"; dns.query; content:"dirittosanitario.biz"; nocase; pcre: "/(^|[^A-Za-z0-9-])dirittosanitario\.biz$/i"; classtype:trojan-activity; sid:4088041; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain dirittosanitario.biz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dirittosanitario.biz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dirittosanitario\.biz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088042; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname glennroberts.co.nz"; dns.query; content:"glennroberts.co.nz"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])glennroberts\.co\.nz$/i"; classtype:trojan-activity; sid:4088051; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname glennroberts.co.nz"; flow:to_server,established; http.header; content: "Host|3a| glennroberts.co.nz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])glennroberts\.co\.nz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088052; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain myteamgenius.com"; dns.query; content:"myteamgenius.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])myteamgenius\.com$/i"; classtype:trojan-activity; sid:4088061; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain myteamgenius.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"myteamgenius.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])myteamgenius\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088062; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain deschl.net"; dns.query; content:"deschl.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])deschl\.net$/i"; classtype:trojan-activity; sid:4088071; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain deschl.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"deschl.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])deschl\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088072; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain plv.media"; dns.query; content:"plv.media"; nocase; pcre: "/(^|[^A-Za-z0-9-])plv\.media$/i"; classtype:trojan-activity; sid:4088081; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain plv.media"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"plv.media"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])plv\.media[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088082; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain thaysa.com"; dns.query; content:"thaysa.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])thaysa\.com$/i"; classtype:trojan-activity; sid:4088091; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain thaysa.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"thaysa.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])thaysa\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088092; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain parebrise-tla.fr"; dns.query; content:"parebrise-tla.fr"; nocase; pcre: "/(^|[^A-Za-z0-9-])parebrise\-tla\.fr$/i"; classtype:trojan-activity; sid:4088101; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain parebrise-tla.fr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"parebrise-tla.fr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])parebrise\-tla\.fr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088102; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain cranleighscoutgroup.org"; dns.query; content:"cranleighscoutgroup.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])cranleighscoutgroup\.org$/i"; classtype:trojan-activity; sid:4088111; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain cranleighscoutgroup.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cranleighscoutgroup.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cranleighscoutgroup\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088112; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain itelagen.com"; dns.query; content:"itelagen.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])itelagen\.com$/i"; classtype:trojan-activity; sid:4088121; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain itelagen.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"itelagen.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])itelagen\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088122; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain aselbermachen.com"; dns.query; content:"aselbermachen.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])aselbermachen\.com$/i"; classtype:trojan-activity; sid:4088131; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain aselbermachen.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aselbermachen.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aselbermachen\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088132; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain jiloc.com"; dns.query; content:"jiloc.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])jiloc\.com$/i"; classtype:trojan-activity; sid:4088141; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain jiloc.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jiloc.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jiloc\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088142; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain manutouchmassage.com"; dns.query; content:"manutouchmassage.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])manutouchmassage\.com$/i"; classtype:trojan-activity; sid:4088151; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain manutouchmassage.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"manutouchmassage.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])manutouchmassage\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088152; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain figura.team"; dns.query; content:"figura.team"; nocase; pcre: "/(^|[^A-Za-z0-9-])figura\.team$/i"; classtype:trojan-activity; sid:4088171; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain figura.team"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"figura.team"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])figura\.team[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088172; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname richard-felix.co.uk"; dns.query; content:"richard-felix.co.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])richard\-felix\.co\.uk$/i"; classtype:trojan-activity; sid:4088181; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname richard-felix.co.uk"; flow:to_server,established; http.header; content: "Host|3a| richard-felix.co.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])richard\-felix\.co\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088182; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain whyinterestingly.ru"; dns.query; content:"whyinterestingly.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])whyinterestingly\.ru$/i"; classtype:trojan-activity; sid:4088191; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain whyinterestingly.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"whyinterestingly.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])whyinterestingly\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088192; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname harpershologram.wordpress.com"; dns.query; content:"harpershologram.wordpress.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])harpershologram\.wordpress\.com$/i"; classtype:trojan-activity; sid:4088201; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname harpershologram.wordpress.com"; flow:to_server,established; http.header; content: "Host|3a| harpershologram.wordpress.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])harpershologram\.wordpress\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088202; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain jenniferandersonwriter.com"; dns.query; content:"jenniferandersonwriter.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])jenniferandersonwriter\.com$/i"; classtype:trojan-activity; sid:4088211; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain jenniferandersonwriter.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jenniferandersonwriter.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jenniferandersonwriter\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088212; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain houseofplus.com"; dns.query; content:"houseofplus.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])houseofplus\.com$/i"; classtype:trojan-activity; sid:4088221; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain houseofplus.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"houseofplus.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])houseofplus\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088222; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain accountancywijchen.nl"; dns.query; content:"accountancywijchen.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])accountancywijchen\.nl$/i"; classtype:trojan-activity; sid:4088231; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain accountancywijchen.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"accountancywijchen.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])accountancywijchen\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088232; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain fibrofolliculoma.info"; dns.query; content:"fibrofolliculoma.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])fibrofolliculoma\.info$/i"; classtype:trojan-activity; sid:4088241; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain fibrofolliculoma.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fibrofolliculoma.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fibrofolliculoma\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088242; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain notmissingout.com"; dns.query; content:"notmissingout.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])notmissingout\.com$/i"; classtype:trojan-activity; sid:4088251; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain notmissingout.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"notmissingout.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])notmissingout\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088252; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain exenberger.at"; dns.query; content:"exenberger.at"; nocase; pcre: "/(^|[^A-Za-z0-9-])exenberger\.at$/i"; classtype:trojan-activity; sid:4088261; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain exenberger.at"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"exenberger.at"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])exenberger\.at[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088262; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname blog.solutionsarchitect.guru"; dns.query; content:"blog.solutionsarchitect.guru"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])blog\.solutionsarchitect\.guru$/i"; classtype:trojan-activity; sid:4088271; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname blog.solutionsarchitect.guru"; flow:to_server,established; http.header; content: "Host|3a| blog.solutionsarchitect.guru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])blog\.solutionsarchitect\.guru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088272; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain body-guards.it"; dns.query; content:"body-guards.it"; nocase; pcre: "/(^|[^A-Za-z0-9-])body\-guards\.it$/i"; classtype:trojan-activity; sid:4088281; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain body-guards.it"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"body-guards.it"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])body\-guards\.it[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088282; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain lloydconstruction.com"; dns.query; content:"lloydconstruction.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])lloydconstruction\.com$/i"; classtype:trojan-activity; sid:4088291; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain lloydconstruction.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lloydconstruction.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lloydconstruction\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088292; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain durganews.com"; dns.query; content:"durganews.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])durganews\.com$/i"; classtype:trojan-activity; sid:4088301; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain durganews.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"durganews.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])durganews\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088302; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain vibehouse.rw"; dns.query; content:"vibehouse.rw"; nocase; pcre: "/(^|[^A-Za-z0-9-])vibehouse\.rw$/i"; classtype:trojan-activity; sid:4088311; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain vibehouse.rw"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vibehouse.rw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vibehouse\.rw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088312; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain solinegraphic.com"; dns.query; content:"solinegraphic.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])solinegraphic\.com$/i"; classtype:trojan-activity; sid:4088321; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain solinegraphic.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"solinegraphic.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])solinegraphic\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088322; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain devok.info"; dns.query; content:"devok.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])devok\.info$/i"; classtype:trojan-activity; sid:4088331; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain devok.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"devok.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])devok\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088332; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ikads.org"; dns.query; content:"ikads.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])ikads\.org$/i"; classtype:trojan-activity; sid:4088341; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ikads.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ikads.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ikads\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088342; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain thefixhut.com"; dns.query; content:"thefixhut.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])thefixhut\.com$/i"; classtype:trojan-activity; sid:4088351; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain thefixhut.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"thefixhut.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])thefixhut\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088352; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain cite4me.org"; dns.query; content:"cite4me.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])cite4me\.org$/i"; classtype:trojan-activity; sid:4088361; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain cite4me.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cite4me.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cite4me\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088362; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ateliergamila.com"; dns.query; content:"ateliergamila.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ateliergamila\.com$/i"; classtype:trojan-activity; sid:4088371; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ateliergamila.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ateliergamila.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ateliergamila\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088372; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain vickiegrayimages.com"; dns.query; content:"vickiegrayimages.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])vickiegrayimages\.com$/i"; classtype:trojan-activity; sid:4088381; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain vickiegrayimages.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vickiegrayimages.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vickiegrayimages\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088382; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain milsing.hr"; dns.query; content:"milsing.hr"; nocase; pcre: "/(^|[^A-Za-z0-9-])milsing\.hr$/i"; classtype:trojan-activity; sid:4088391; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain milsing.hr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"milsing.hr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])milsing\.hr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088392; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ruralarcoiris.com"; dns.query; content:"ruralarcoiris.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ruralarcoiris\.com$/i"; classtype:trojan-activity; sid:4088401; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ruralarcoiris.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ruralarcoiris.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ruralarcoiris\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088402; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain danielblum.info"; dns.query; content:"danielblum.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])danielblum\.info$/i"; classtype:trojan-activity; sid:4088411; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain danielblum.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"danielblum.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])danielblum\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088412; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain iyahayki.nl"; dns.query; content:"iyahayki.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])iyahayki\.nl$/i"; classtype:trojan-activity; sid:4088421; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain iyahayki.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"iyahayki.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])iyahayki\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088422; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain expandet.dk"; dns.query; content:"expandet.dk"; nocase; pcre: "/(^|[^A-Za-z0-9-])expandet\.dk$/i"; classtype:trojan-activity; sid:4088431; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain expandet.dk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"expandet.dk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])expandet\.dk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088432; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain tanciu.com"; dns.query; content:"tanciu.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])tanciu\.com$/i"; classtype:trojan-activity; sid:4088441; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain tanciu.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tanciu.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tanciu\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088442; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain stingraybeach.com"; dns.query; content:"stingraybeach.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])stingraybeach\.com$/i"; classtype:trojan-activity; sid:4088451; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain stingraybeach.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"stingraybeach.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])stingraybeach\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088452; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain morawe-krueger.de"; dns.query; content:"morawe-krueger.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])morawe\-krueger\.de$/i"; classtype:trojan-activity; sid:4088461; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain morawe-krueger.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"morawe-krueger.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])morawe\-krueger\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088462; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname hairnetty.wordpress.com"; dns.query; content:"hairnetty.wordpress.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])hairnetty\.wordpress\.com$/i"; classtype:trojan-activity; sid:4088471; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname hairnetty.wordpress.com"; flow:to_server,established; http.header; content: "Host|3a| hairnetty.wordpress.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])hairnetty\.wordpress\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088472; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain oldschoolfun.net"; dns.query; content:"oldschoolfun.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])oldschoolfun\.net$/i"; classtype:trojan-activity; sid:4088481; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain oldschoolfun.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"oldschoolfun.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])oldschoolfun\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088482; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain eco-southafrica.com"; dns.query; content:"eco-southafrica.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])eco\-southafrica\.com$/i"; classtype:trojan-activity; sid:4088491; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain eco-southafrica.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"eco-southafrica.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])eco\-southafrica\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088492; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain 8449nohate.org"; dns.query; content:"8449nohate.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])8449nohate\.org$/i"; classtype:trojan-activity; sid:4088501; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain 8449nohate.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"8449nohate.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])8449nohate\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088502; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain olejack.ru"; dns.query; content:"olejack.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])olejack\.ru$/i"; classtype:trojan-activity; sid:4088511; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain olejack.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"olejack.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])olejack\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088512; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain projetlyonturin.fr"; dns.query; content:"projetlyonturin.fr"; nocase; pcre: "/(^|[^A-Za-z0-9-])projetlyonturin\.fr$/i"; classtype:trojan-activity; sid:4088521; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain projetlyonturin.fr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"projetlyonturin.fr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])projetlyonturin\.fr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088522; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname vesinhnha.com.vn"; dns.query; content:"vesinhnha.com.vn"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])vesinhnha\.com\.vn$/i"; classtype:trojan-activity; sid:4088531; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname vesinhnha.com.vn"; flow:to_server,established; http.header; content: "Host|3a| vesinhnha.com.vn"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])vesinhnha\.com\.vn[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088532; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain fiscalsort.com"; dns.query; content:"fiscalsort.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])fiscalsort\.com$/i"; classtype:trojan-activity; sid:4088541; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain fiscalsort.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fiscalsort.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fiscalsort\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088542; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain securityfmm.com"; dns.query; content:"securityfmm.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])securityfmm\.com$/i"; classtype:trojan-activity; sid:4088551; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain securityfmm.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"securityfmm.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])securityfmm\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088552; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain officehymy.com"; dns.query; content:"officehymy.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])officehymy\.com$/i"; classtype:trojan-activity; sid:4088561; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain officehymy.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"officehymy.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])officehymy\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088562; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain memaag.com"; dns.query; content:"memaag.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])memaag\.com$/i"; classtype:trojan-activity; sid:4088571; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain memaag.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"memaag.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])memaag\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088572; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname havecamerawilltravel2017.wordpress.com"; dns.query; content:"havecamerawilltravel2017.wordpress.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])havecamerawilltravel2017\.wordpress\.com$/i"; classtype:trojan-activity; sid:4088581; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname havecamerawilltravel2017.wordpress.com"; flow:to_server,established; http.header; content: "Host|3a| havecamerawilltravel2017.wordpress.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])havecamerawilltravel2017\.wordpress\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088582; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain denifl-consulting.at"; dns.query; content:"denifl-consulting.at"; nocase; pcre: "/(^|[^A-Za-z0-9-])denifl\-consulting\.at$/i"; classtype:trojan-activity; sid:4088591; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain denifl-consulting.at"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"denifl-consulting.at"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])denifl\-consulting\.at[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088592; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain wurmpower.at"; dns.query; content:"wurmpower.at"; nocase; pcre: "/(^|[^A-Za-z0-9-])wurmpower\.at$/i"; classtype:trojan-activity; sid:4088601; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain wurmpower.at"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wurmpower.at"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wurmpower\.at[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088602; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain koken-voor-baby.nl"; dns.query; content:"koken-voor-baby.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])koken\-voor\-baby\.nl$/i"; classtype:trojan-activity; sid:4088611; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain koken-voor-baby.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"koken-voor-baby.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])koken\-voor\-baby\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088612; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname mardenherefordshire-pc.gov.uk"; dns.query; content:"mardenherefordshire-pc.gov.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mardenherefordshire\-pc\.gov\.uk$/i"; classtype:trojan-activity; sid:4088621; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname mardenherefordshire-pc.gov.uk"; flow:to_server,established; http.header; content: "Host|3a| mardenherefordshire-pc.gov.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mardenherefordshire\-pc\.gov\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088622; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain kuntokeskusrok.fi"; dns.query; content:"kuntokeskusrok.fi"; nocase; pcre: "/(^|[^A-Za-z0-9-])kuntokeskusrok\.fi$/i"; classtype:trojan-activity; sid:4088631; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain kuntokeskusrok.fi"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kuntokeskusrok.fi"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kuntokeskusrok\.fi[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088632; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain extensionmaison.info"; dns.query; content:"extensionmaison.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])extensionmaison\.info$/i"; classtype:trojan-activity; sid:4088641; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain extensionmaison.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"extensionmaison.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])extensionmaison\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088642; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname grupocarvalhoerodrigues.com.br"; dns.query; content:"grupocarvalhoerodrigues.com.br"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])grupocarvalhoerodrigues\.com\.br$/i"; classtype:trojan-activity; sid:4088651; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname grupocarvalhoerodrigues.com.br"; flow:to_server,established; http.header; content: "Host|3a| grupocarvalhoerodrigues.com.br"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])grupocarvalhoerodrigues\.com\.br[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088652; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain juneauopioidworkgroup.org"; dns.query; content:"juneauopioidworkgroup.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])juneauopioidworkgroup\.org$/i"; classtype:trojan-activity; sid:4088661; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain juneauopioidworkgroup.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"juneauopioidworkgroup.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])juneauopioidworkgroup\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088662; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain mountsoul.de"; dns.query; content:"mountsoul.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])mountsoul\.de$/i"; classtype:trojan-activity; sid:4088671; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain mountsoul.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mountsoul.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mountsoul\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088672; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain prochain-voyage.net"; dns.query; content:"prochain-voyage.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])prochain\-voyage\.net$/i"; classtype:trojan-activity; sid:4088681; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain prochain-voyage.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"prochain-voyage.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])prochain\-voyage\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088682; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain parks-nuernberg.de"; dns.query; content:"parks-nuernberg.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])parks\-nuernberg\.de$/i"; classtype:trojan-activity; sid:4088691; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain parks-nuernberg.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"parks-nuernberg.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])parks\-nuernberg\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088692; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain dutchcoder.nl"; dns.query; content:"dutchcoder.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])dutchcoder\.nl$/i"; classtype:trojan-activity; sid:4088701; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain dutchcoder.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dutchcoder.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dutchcoder\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088702; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain webhostingsrbija.rs"; dns.query; content:"webhostingsrbija.rs"; nocase; pcre: "/(^|[^A-Za-z0-9-])webhostingsrbija\.rs$/i"; classtype:trojan-activity; sid:4088711; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain webhostingsrbija.rs"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"webhostingsrbija.rs"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])webhostingsrbija\.rs[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088712; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain faizanullah.com"; dns.query; content:"faizanullah.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])faizanullah\.com$/i"; classtype:trojan-activity; sid:4088721; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain faizanullah.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"faizanullah.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])faizanullah\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088722; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain courteney-cox.net"; dns.query; content:"courteney-cox.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])courteney\-cox\.net$/i"; classtype:trojan-activity; sid:4088731; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain courteney-cox.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"courteney-cox.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])courteney\-cox\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088732; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname 321play.com.hk"; dns.query; content:"321play.com.hk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])321play\.com\.hk$/i"; classtype:trojan-activity; sid:4088741; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname 321play.com.hk"; flow:to_server,established; http.header; content: "Host|3a| 321play.com.hk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])321play\.com\.hk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088742; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain tandartspraktijkhartjegroningen.nl"; dns.query; content:"tandartspraktijkhartjegroningen.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])tandartspraktijkhartjegroningen\.nl$/i"; classtype:trojan-activity; sid:4088751; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain tandartspraktijkhartjegroningen.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tandartspraktijkhartjegroningen.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tandartspraktijkhartjegroningen\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088752; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain tsklogistik.eu"; dns.query; content:"tsklogistik.eu"; nocase; pcre: "/(^|[^A-Za-z0-9-])tsklogistik\.eu$/i"; classtype:trojan-activity; sid:4088761; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain tsklogistik.eu"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tsklogistik.eu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tsklogistik\.eu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088762; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain starsarecircular.org"; dns.query; content:"starsarecircular.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])starsarecircular\.org$/i"; classtype:trojan-activity; sid:4088771; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain starsarecircular.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"starsarecircular.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])starsarecircular\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088772; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain pawsuppetlovers.com"; dns.query; content:"pawsuppetlovers.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pawsuppetlovers\.com$/i"; classtype:trojan-activity; sid:4088781; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain pawsuppetlovers.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pawsuppetlovers.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pawsuppetlovers\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088782; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain rumahminangberdaya.com"; dns.query; content:"rumahminangberdaya.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])rumahminangberdaya\.com$/i"; classtype:trojan-activity; sid:4088791; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain rumahminangberdaya.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"rumahminangberdaya.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])rumahminangberdaya\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088792; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain kunze-immobilien.de"; dns.query; content:"kunze-immobilien.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])kunze\-immobilien\.de$/i"; classtype:trojan-activity; sid:4088801; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain kunze-immobilien.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kunze-immobilien.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kunze\-immobilien\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088802; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain proudground.org"; dns.query; content:"proudground.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])proudground\.org$/i"; classtype:trojan-activity; sid:4088811; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain proudground.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"proudground.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])proudground\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088812; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain insidegarage.pl"; dns.query; content:"insidegarage.pl"; nocase; pcre: "/(^|[^A-Za-z0-9-])insidegarage\.pl$/i"; classtype:trojan-activity; sid:4088821; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain insidegarage.pl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"insidegarage.pl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])insidegarage\.pl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088822; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain calxplus.eu"; dns.query; content:"calxplus.eu"; nocase; pcre: "/(^|[^A-Za-z0-9-])calxplus\.eu$/i"; classtype:trojan-activity; sid:4088831; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain calxplus.eu"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"calxplus.eu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])calxplus\.eu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088832; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain shonacox.com"; dns.query; content:"shonacox.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])shonacox\.com$/i"; classtype:trojan-activity; sid:4088841; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain shonacox.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"shonacox.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])shonacox\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088842; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Hostname funjose.org.gt"; dns.query; content:"funjose.org.gt"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])funjose\.org\.gt$/i"; classtype:trojan-activity; sid:4088851; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Hostname funjose.org.gt"; flow:to_server,established; http.header; content: "Host|3a| funjose.org.gt"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])funjose\.org\.gt[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088852; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ungsvenskarna.se"; dns.query; content:"ungsvenskarna.se"; nocase; pcre: "/(^|[^A-Za-z0-9-])ungsvenskarna\.se$/i"; classtype:trojan-activity; sid:4088861; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ungsvenskarna.se"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ungsvenskarna.se"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ungsvenskarna\.se[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088862; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain bradynursery.com"; dns.query; content:"bradynursery.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bradynursery\.com$/i"; classtype:trojan-activity; sid:4088871; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain bradynursery.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bradynursery.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bradynursery\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088872; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain bockamp.com"; dns.query; content:"bockamp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bockamp\.com$/i"; classtype:trojan-activity; sid:4088881; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain bockamp.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bockamp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bockamp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088882; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain oneplusresource.org"; dns.query; content:"oneplusresource.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])oneplusresource\.org$/i"; classtype:trojan-activity; sid:4088891; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain oneplusresource.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"oneplusresource.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])oneplusresource\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088892; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain bimnapratica.com"; dns.query; content:"bimnapratica.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bimnapratica\.com$/i"; classtype:trojan-activity; sid:4088901; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain bimnapratica.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bimnapratica.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bimnapratica\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088902; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain dublikator.com"; dns.query; content:"dublikator.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])dublikator\.com$/i"; classtype:trojan-activity; sid:4088911; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain dublikator.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dublikator.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dublikator\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088912; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain familypark40.com"; dns.query; content:"familypark40.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])familypark40\.com$/i"; classtype:trojan-activity; sid:4088921; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain familypark40.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"familypark40.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])familypark40\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088922; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain musictreehouse.net"; dns.query; content:"musictreehouse.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])musictreehouse\.net$/i"; classtype:trojan-activity; sid:4088931; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain musictreehouse.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"musictreehouse.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])musictreehouse\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088932; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain wellplast.se"; dns.query; content:"wellplast.se"; nocase; pcre: "/(^|[^A-Za-z0-9-])wellplast\.se$/i"; classtype:trojan-activity; sid:4088941; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain wellplast.se"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wellplast.se"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wellplast\.se[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088942; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ilive.lt"; dns.query; content:"ilive.lt"; nocase; pcre: "/(^|[^A-Za-z0-9-])ilive\.lt$/i"; classtype:trojan-activity; sid:4088951; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ilive.lt"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ilive.lt"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ilive\.lt[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088952; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain tstaffing.nl"; dns.query; content:"tstaffing.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])tstaffing\.nl$/i"; classtype:trojan-activity; sid:4088961; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain tstaffing.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tstaffing.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tstaffing\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088962; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain bouldercafe-wuppertal.de"; dns.query; content:"bouldercafe-wuppertal.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])bouldercafe\-wuppertal\.de$/i"; classtype:trojan-activity; sid:4088971; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain bouldercafe-wuppertal.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bouldercafe-wuppertal.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bouldercafe\-wuppertal\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088972; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain burkert-ideenreich.de"; dns.query; content:"burkert-ideenreich.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])burkert\-ideenreich\.de$/i"; classtype:trojan-activity; sid:4088981; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain burkert-ideenreich.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"burkert-ideenreich.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])burkert\-ideenreich\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088982; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain xtptrack.com"; dns.query; content:"xtptrack.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])xtptrack\.com$/i"; classtype:trojan-activity; sid:4088991; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain xtptrack.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"xtptrack.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])xtptrack\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4088992; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain hokagestore.com"; dns.query; content:"hokagestore.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])hokagestore\.com$/i"; classtype:trojan-activity; sid:4089001; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain hokagestore.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hokagestore.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hokagestore\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4089002; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain dsl-ip.de"; dns.query; content:"dsl-ip.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])dsl\-ip\.de$/i"; classtype:trojan-activity; sid:4089011; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain dsl-ip.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dsl-ip.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dsl\-ip\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4089012; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain licor43.de"; dns.query; content:"licor43.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])licor43\.de$/i"; classtype:trojan-activity; sid:4089021; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain licor43.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"licor43.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])licor43\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4089022; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain satyayoga.de"; dns.query; content:"satyayoga.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])satyayoga\.de$/i"; classtype:trojan-activity; sid:4089031; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain satyayoga.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"satyayoga.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])satyayoga\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4089032; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain steampluscarpetandfloors.com"; dns.query; content:"steampluscarpetandfloors.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])steampluscarpetandfloors\.com$/i"; classtype:trojan-activity; sid:4089041; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain steampluscarpetandfloors.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"steampluscarpetandfloors.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])steampluscarpetandfloors\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4089042; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain ulyssemarketing.com"; dns.query; content:"ulyssemarketing.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ulyssemarketing\.com$/i"; classtype:trojan-activity; sid:4089051; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain ulyssemarketing.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ulyssemarketing.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ulyssemarketing\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4089052; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain linnankellari.fi"; dns.query; content:"linnankellari.fi"; nocase; pcre: "/(^|[^A-Za-z0-9-])linnankellari\.fi$/i"; classtype:trojan-activity; sid:4089061; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain linnankellari.fi"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"linnankellari.fi"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])linnankellari\.fi[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4089062; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain chandlerpd.com"; dns.query; content:"chandlerpd.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])chandlerpd\.com$/i"; classtype:trojan-activity; sid:4089071; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain chandlerpd.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"chandlerpd.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])chandlerpd\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4089072; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain tandartspraktijkheesch.nl"; dns.query; content:"tandartspraktijkheesch.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])tandartspraktijkheesch\.nl$/i"; classtype:trojan-activity; sid:4089081; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain tandartspraktijkheesch.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tandartspraktijkheesch.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tandartspraktijkheesch\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4089082; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain xn--singlebrsen-vergleich-nec.com"; dns.query; content:"xn--singlebrsen-vergleich-nec.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])xn\-\-singlebrsen\-vergleich\-nec\.com$/i"; classtype:trojan-activity; sid:4089091; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain xn--singlebrsen-vergleich-nec.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"xn--singlebrsen-vergleich-nec.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])xn\-\-singlebrsen\-vergleich\-nec\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4089092; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain zflas.com"; dns.query; content:"zflas.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])zflas\.com$/i"; classtype:trojan-activity; sid:4089101; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain zflas.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"zflas.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])zflas\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4089102; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain stemplusacademy.com"; dns.query; content:"stemplusacademy.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])stemplusacademy\.com$/i"; classtype:trojan-activity; sid:4089111; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain stemplusacademy.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"stemplusacademy.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])stemplusacademy\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4089112; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert dns any any -> any any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Domain jadwalbolanet.info"; dns.query; content:"jadwalbolanet.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])jadwalbolanet\.info$/i"; classtype:trojan-activity; sid:4089121; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e208 [misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="PsExec - S0029",tlp:white] Outgoing HTTP Domain jadwalbolanet.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jadwalbolanet.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jadwalbolanet\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4089122; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/208;) alert http $HOME_NET any -> 107.172.221.106 $HTTP_PORTS (msg: "MISP e209 [tlp:white] Outgoing URL http|3a|//107.172.221.106/ico/VidT6cErs"; flow:to_server,established; http.header; content:"107.172.221.106"; fast_pattern; nocase; http.uri; content:"/ico/VidT6cErs"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4089931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/209;) alert http $HOME_NET any -> 107.172.221.106 $HTTP_PORTS (msg: "MISP e209 [tlp:white] Outgoing URL http|3a|//107.172.221.106/images/cursor.png"; flow:to_server,established; http.header; content:"107.172.221.106"; fast_pattern; nocase; http.uri; content:"/images/cursor.png"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4089941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/209;) alert http $HOME_NET any -> 107.172.221.106 $HTTP_PORTS (msg: "MISP e209 [tlp:white] Outgoing URL http|3a|//107.172.221.106/images/imgpaper.png"; flow:to_server,established; http.header; content:"107.172.221.106"; fast_pattern; nocase; http.uri; content:"/images/imgpaper.png"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4089951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/209;) alert http $HOME_NET any -> 23.95.227.159 $HTTP_PORTS (msg: "MISP e209 [tlp:white] Outgoing URL http|3a|//23.95.227.159/ico/VidT6cErs"; flow:to_server,established; http.header; content:"23.95.227.159"; fast_pattern; nocase; http.uri; content:"/ico/VidT6cErs"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4089961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/209;) alert http $HOME_NET any -> 23.95.227.159 $HTTP_PORTS (msg: "MISP e209 [tlp:white] Outgoing URL http|3a|//23.95.227.159/images/cursor.png"; flow:to_server,established; http.header; content:"23.95.227.159"; fast_pattern; nocase; http.uri; content:"/images/cursor.png"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4089971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/209;) alert http $HOME_NET any -> 23.95.227.159 $HTTP_PORTS (msg: "MISP e209 [tlp:white] Outgoing URL http|3a|//23.95.227.159/images/imgpaper.png"; flow:to_server,established; http.header; content:"23.95.227.159"; fast_pattern; nocase; http.uri; content:"/images/imgpaper.png"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4089981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/209;) alert ip $HOME_NET any -> 35.208.146.4 any (msg: "MISP e212 [tlp:white,misp-galaxy:banker="Qakbot"] Outgoing To IP: 35.208.146.4"; classtype:trojan-activity; sid:4090381; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/212;) alert dns any any -> any any (msg: "MISP e212 [tlp:white,misp-galaxy:banker="Qakbot"] Domain supyouryoga.com"; dns.query; content:"supyouryoga.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])supyouryoga\.com$/i"; classtype:trojan-activity; sid:4090391; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/212;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e212 [tlp:white,misp-galaxy:banker="Qakbot"] Outgoing HTTP Domain supyouryoga.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"supyouryoga.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])supyouryoga\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4090392; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/212;) alert ip $HOME_NET any -> 62.38.114.12 2222 (msg: "MISP e212 [tlp:white,misp-galaxy:banker="Qakbot"] Outgoing To IP: 62.38.114.12|2222"; classtype:trojan-activity; sid:4090401; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/212;) alert ip $HOME_NET any -> 197.45.110.165 995 (msg: "MISP e212 [tlp:white,misp-galaxy:banker="Qakbot"] Outgoing To IP: 197.45.110.165|995"; classtype:trojan-activity; sid:4090411; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/212;) alert ip $HOME_NET any -> 54.36.108.120 65400 (msg: "MISP e212 [tlp:white,misp-galaxy:banker="Qakbot"] Outgoing To IP: 54.36.108.120|65400"; classtype:trojan-activity; sid:4090421; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/212;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e213 [tlp:white,misp-galaxy:tool="njRAT",misp-galaxy:rat="NJRat",misp-galaxy:mitre-enterprise-attack-attack-pattern="External Remote Services - T1133"] Outgoing URL http|3a|//textfiles.us/driverupdate0.exe"; flow:to_server,established; http.header; content:"textfiles.us"; fast_pattern; nocase; http.uri; content:"/driverupdate0.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4090551; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/213;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e213 [tlp:white,misp-galaxy:tool="njRAT",misp-galaxy:rat="NJRat",misp-galaxy:mitre-enterprise-attack-attack-pattern="External Remote Services - T1133"] Outgoing URL https|3a|//pastebin.com/rw/770qPDMt"; tls.sni; content:"pastebin.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4090601; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/213;) alert dns any any -> any any (msg: "MISP e214 [tlp:white,misp-galaxy:mitre-enterprise-attack-attack-pattern="Scheduled Task - T1053"] Domain deman1.icu"; dns.query; content:"deman1.icu"; nocase; pcre: "/(^|[^A-Za-z0-9-])deman1\.icu$/i"; classtype:trojan-activity; sid:4090701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/214;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e214 [tlp:white,misp-galaxy:mitre-enterprise-attack-attack-pattern="Scheduled Task - T1053"] Outgoing HTTP Domain deman1.icu"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"deman1.icu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])deman1\.icu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4090702; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/214;) alert dns any any -> any any (msg: "MISP e214 [tlp:white,misp-galaxy:mitre-enterprise-attack-attack-pattern="Scheduled Task - T1053"] Domain hotsoft.icu"; dns.query; content:"hotsoft.icu"; nocase; pcre: "/(^|[^A-Za-z0-9-])hotsoft\.icu$/i"; classtype:trojan-activity; sid:4090711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/214;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e214 [tlp:white,misp-galaxy:mitre-enterprise-attack-attack-pattern="Scheduled Task - T1053"] Outgoing HTTP Domain hotsoft.icu"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hotsoft.icu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hotsoft\.icu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4090712; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/214;) alert dns any any -> any any (msg: "MISP e214 [tlp:white,misp-galaxy:mitre-enterprise-attack-attack-pattern="Scheduled Task - T1053"] Domain uplearn.top"; dns.query; content:"uplearn.top"; nocase; pcre: "/(^|[^A-Za-z0-9-])uplearn\.top$/i"; classtype:trojan-activity; sid:4090721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/214;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e214 [tlp:white,misp-galaxy:mitre-enterprise-attack-attack-pattern="Scheduled Task - T1053"] Outgoing HTTP Domain uplearn.top"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uplearn.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uplearn\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4090722; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/214;) alert dns any any -> any any (msg: "MISP e214 [tlp:white,misp-galaxy:mitre-enterprise-attack-attack-pattern="Scheduled Task - T1053"] Domain lidarcc.icu"; dns.query; content:"lidarcc.icu"; nocase; pcre: "/(^|[^A-Za-z0-9-])lidarcc\.icu$/i"; classtype:trojan-activity; sid:4090731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/214;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e214 [tlp:white,misp-galaxy:mitre-enterprise-attack-attack-pattern="Scheduled Task - T1053"] Outgoing HTTP Domain lidarcc.icu"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lidarcc.icu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lidarcc\.icu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4090732; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/214;) alert dns any any -> any any (msg: "MISP e214 [tlp:white,misp-galaxy:mitre-enterprise-attack-attack-pattern="Scheduled Task - T1053"] Domain sharepoint-web.com"; dns.query; content:"sharepoint-web.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sharepoint\-web\.com$/i"; classtype:trojan-activity; sid:4090741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/214;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e214 [tlp:white,misp-galaxy:mitre-enterprise-attack-attack-pattern="Scheduled Task - T1053"] Outgoing HTTP Domain sharepoint-web.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sharepoint-web.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sharepoint\-web\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4090742; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/214;) alert dns any any -> any any (msg: "MISP e215 [tlp:white] Hostname 6a57jk2ba1d9keg15cbg.appsync-api.eu-west-1.avsvmcloud.com"; dns.query; content:"6a57jk2ba1d9keg15cbg.appsync-api.eu-west-1.avsvmcloud.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])6a57jk2ba1d9keg15cbg\.appsync\-api\.eu\-west\-1\.avsvmcloud\.com$/i"; classtype:trojan-activity; sid:4090781; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/215;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e215 [tlp:white] Outgoing HTTP Hostname 6a57jk2ba1d9keg15cbg.appsync-api.eu-west-1.avsvmcloud.com"; flow:to_server,established; http.header; content: "Host|3a| 6a57jk2ba1d9keg15cbg.appsync-api.eu-west-1.avsvmcloud.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])6a57jk2ba1d9keg15cbg\.appsync\-api\.eu\-west\-1\.avsvmcloud\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4090782; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/215;) alert dns any any -> any any (msg: "MISP e215 [tlp:white] Hostname 7sbvaemscs0mc925tb99.appsync-api.us-west-2.avsvmcloud.com"; dns.query; content:"7sbvaemscs0mc925tb99.appsync-api.us-west-2.avsvmcloud.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])7sbvaemscs0mc925tb99\.appsync\-api\.us\-west\-2\.avsvmcloud\.com$/i"; classtype:trojan-activity; sid:4090791; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/215;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e215 [tlp:white] Outgoing HTTP Hostname 7sbvaemscs0mc925tb99.appsync-api.us-west-2.avsvmcloud.com"; flow:to_server,established; http.header; content: "Host|3a| 7sbvaemscs0mc925tb99.appsync-api.us-west-2.avsvmcloud.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])7sbvaemscs0mc925tb99\.appsync\-api\.us\-west\-2\.avsvmcloud\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4090792; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/215;) alert dns any any -> any any (msg: "MISP e215 [tlp:white] Hostname gq1h856599gqh538acqn.appsync-api.us-west-2.avsvmcloud.com"; dns.query; content:"gq1h856599gqh538acqn.appsync-api.us-west-2.avsvmcloud.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])gq1h856599gqh538acqn\.appsync\-api\.us\-west\-2\.avsvmcloud\.com$/i"; classtype:trojan-activity; sid:4090801; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/215;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e215 [tlp:white] Outgoing HTTP Hostname gq1h856599gqh538acqn.appsync-api.us-west-2.avsvmcloud.com"; flow:to_server,established; http.header; content: "Host|3a| gq1h856599gqh538acqn.appsync-api.us-west-2.avsvmcloud.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])gq1h856599gqh538acqn\.appsync\-api\.us\-west\-2\.avsvmcloud\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4090802; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/215;) alert dns any any -> any any (msg: "MISP e215 [tlp:white] Hostname ihvpgv9psvq02ffo77et.appsync-api.us-east-2.avsvmcloud.com"; dns.query; content:"ihvpgv9psvq02ffo77et.appsync-api.us-east-2.avsvmcloud.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ihvpgv9psvq02ffo77et\.appsync\-api\.us\-east\-2\.avsvmcloud\.com$/i"; classtype:trojan-activity; sid:4090811; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/215;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e215 [tlp:white] Outgoing HTTP Hostname ihvpgv9psvq02ffo77et.appsync-api.us-east-2.avsvmcloud.com"; flow:to_server,established; http.header; content: "Host|3a| ihvpgv9psvq02ffo77et.appsync-api.us-east-2.avsvmcloud.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ihvpgv9psvq02ffo77et\.appsync\-api\.us\-east\-2\.avsvmcloud\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4090812; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/215;) alert dns any any -> any any (msg: "MISP e215 [tlp:white] Hostname k5kcubuassl3alrf7gm3.appsync-api.eu-west-1.avsvmcloud.com"; dns.query; content:"k5kcubuassl3alrf7gm3.appsync-api.eu-west-1.avsvmcloud.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])k5kcubuassl3alrf7gm3\.appsync\-api\.eu\-west\-1\.avsvmcloud\.com$/i"; classtype:trojan-activity; sid:4090821; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/215;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e215 [tlp:white] Outgoing HTTP Hostname k5kcubuassl3alrf7gm3.appsync-api.eu-west-1.avsvmcloud.com"; flow:to_server,established; http.header; content: "Host|3a| k5kcubuassl3alrf7gm3.appsync-api.eu-west-1.avsvmcloud.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])k5kcubuassl3alrf7gm3\.appsync\-api\.eu\-west\-1\.avsvmcloud\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4090822; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/215;) alert dns any any -> any any (msg: "MISP e215 [tlp:white] Hostname mhdosoksaccf9sni9icp.appsync-api.eu-west-1.avsvmcloud.com"; dns.query; content:"mhdosoksaccf9sni9icp.appsync-api.eu-west-1.avsvmcloud.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mhdosoksaccf9sni9icp\.appsync\-api\.eu\-west\-1\.avsvmcloud\.com$/i"; classtype:trojan-activity; sid:4090831; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/215;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e215 [tlp:white] Outgoing HTTP Hostname mhdosoksaccf9sni9icp.appsync-api.eu-west-1.avsvmcloud.com"; flow:to_server,established; http.header; content: "Host|3a| mhdosoksaccf9sni9icp.appsync-api.eu-west-1.avsvmcloud.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mhdosoksaccf9sni9icp\.appsync\-api\.eu\-west\-1\.avsvmcloud\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4090832; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/215;) alert ip $HOME_NET any -> 13.59.205.66 any (msg: "MISP e215 [tlp:white] Outgoing To IP: 13.59.205.66"; classtype:trojan-activity; sid:4090841; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/215;) alert ip $HOME_NET any -> 54.193.127.66 any (msg: "MISP e215 [tlp:white] Outgoing To IP: 54.193.127.66"; classtype:trojan-activity; sid:4090851; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/215;) alert ip $HOME_NET any -> 54.215.192.52 any (msg: "MISP e215 [tlp:white] Outgoing To IP: 54.215.192.52"; classtype:trojan-activity; sid:4090861; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/215;) alert ip $HOME_NET any -> 34.203.203.23 any (msg: "MISP e215 [tlp:white] Outgoing To IP: 34.203.203.23"; classtype:trojan-activity; sid:4090871; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/215;) alert ip $HOME_NET any -> 139.99.115.204 any (msg: "MISP e215 [tlp:white] Outgoing To IP: 139.99.115.204"; classtype:trojan-activity; sid:4090881; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/215;) alert ip $HOME_NET any -> 5.252.177.25 any (msg: "MISP e215 [tlp:white] Outgoing To IP: 5.252.177.25"; classtype:trojan-activity; sid:4090891; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/215;) alert ip $HOME_NET any -> 5.252.177.21 any (msg: "MISP e215 [tlp:white] Outgoing To IP: 5.252.177.21"; classtype:trojan-activity; sid:4090901; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/215;) alert ip $HOME_NET any -> 204.188.205.176 any (msg: "MISP e215 [tlp:white] Outgoing To IP: 204.188.205.176"; classtype:trojan-activity; sid:4090911; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/215;) alert ip $HOME_NET any -> 51.89.125.18 any (msg: "MISP e215 [tlp:white] Outgoing To IP: 51.89.125.18"; classtype:trojan-activity; sid:4090921; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/215;) alert ip $HOME_NET any -> 167.114.213.199 any (msg: "MISP e215 [tlp:white] Outgoing To IP: 167.114.213.199"; classtype:trojan-activity; sid:4090931; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/215;) alert ip $HOME_NET any -> 13.57.184.217 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 13.57.184.217"; classtype:trojan-activity; sid:4091121; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 13.59.205.66 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 13.59.205.66"; classtype:trojan-activity; sid:4091131; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 18.217.225.111 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 18.217.225.111"; classtype:trojan-activity; sid:4091141; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 18.220.219.143 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 18.220.219.143"; classtype:trojan-activity; sid:4091151; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 196.203.11.89 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 196.203.11.89"; classtype:trojan-activity; sid:4091161; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 3.16.81.254 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 3.16.81.254"; classtype:trojan-activity; sid:4091171; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 3.87.182.149 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 3.87.182.149"; classtype:trojan-activity; sid:4091181; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 34.219.234.134 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 34.219.234.134"; classtype:trojan-activity; sid:4091191; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 54.193.127.66 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 54.193.127.66"; classtype:trojan-activity; sid:4091201; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 54.215.192.52 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 54.215.192.52"; classtype:trojan-activity; sid:4091211; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert dns any any -> any any (msg: "MISP e216 [tlp:white] Domain avsvmcloud.com"; dns.query; content:"avsvmcloud.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])avsvmcloud\.com$/i"; classtype:trojan-activity; sid:4091221; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e216 [tlp:white] Outgoing HTTP Domain avsvmcloud.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"avsvmcloud.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])avsvmcloud\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4091222; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert dns any any -> any any (msg: "MISP e216 [tlp:white] Domain deftsecurity.com"; dns.query; content:"deftsecurity.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])deftsecurity\.com$/i"; classtype:trojan-activity; sid:4091231; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e216 [tlp:white] Outgoing HTTP Domain deftsecurity.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"deftsecurity.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])deftsecurity\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4091232; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert dns any any -> any any (msg: "MISP e216 [tlp:white] Domain digitalcollege.org"; dns.query; content:"digitalcollege.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])digitalcollege\.org$/i"; classtype:trojan-activity; sid:4091241; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e216 [tlp:white] Outgoing HTTP Domain digitalcollege.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"digitalcollege.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])digitalcollege\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4091242; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert dns any any -> any any (msg: "MISP e216 [tlp:white] Domain freescanonline.com"; dns.query; content:"freescanonline.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])freescanonline\.com$/i"; classtype:trojan-activity; sid:4091251; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e216 [tlp:white] Outgoing HTTP Domain freescanonline.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"freescanonline.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])freescanonline\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4091252; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert dns any any -> any any (msg: "MISP e216 [tlp:white] Domain globalnetworkissues.com"; dns.query; content:"globalnetworkissues.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])globalnetworkissues\.com$/i"; classtype:trojan-activity; sid:4091261; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e216 [tlp:white] Outgoing HTTP Domain globalnetworkissues.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"globalnetworkissues.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])globalnetworkissues\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4091262; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert dns any any -> any any (msg: "MISP e216 [tlp:white] Domain kubecloud.com"; dns.query; content:"kubecloud.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])kubecloud\.com$/i"; classtype:trojan-activity; sid:4091271; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e216 [tlp:white] Outgoing HTTP Domain kubecloud.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kubecloud.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kubecloud\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4091272; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert dns any any -> any any (msg: "MISP e216 [tlp:white] Domain lcomputers.com"; dns.query; content:"lcomputers.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])lcomputers\.com$/i"; classtype:trojan-activity; sid:4091281; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e216 [tlp:white] Outgoing HTTP Domain lcomputers.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lcomputers.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lcomputers\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4091282; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert dns any any -> any any (msg: "MISP e216 [tlp:white] Domain seobundlekit.com"; dns.query; content:"seobundlekit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])seobundlekit\.com$/i"; classtype:trojan-activity; sid:4091291; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e216 [tlp:white] Outgoing HTTP Domain seobundlekit.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"seobundlekit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])seobundlekit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4091292; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert dns any any -> any any (msg: "MISP e216 [tlp:white] Domain solartrackingsystem.net"; dns.query; content:"solartrackingsystem.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])solartrackingsystem\.net$/i"; classtype:trojan-activity; sid:4091301; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e216 [tlp:white] Outgoing HTTP Domain solartrackingsystem.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"solartrackingsystem.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])solartrackingsystem\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4091302; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert dns any any -> any any (msg: "MISP e216 [tlp:white] Domain thedoccloud.com"; dns.query; content:"thedoccloud.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])thedoccloud\.com$/i"; classtype:trojan-activity; sid:4091311; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e216 [tlp:white] Outgoing HTTP Domain thedoccloud.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"thedoccloud.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])thedoccloud\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4091312; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert dns any any -> any any (msg: "MISP e216 [tlp:white] Domain virtualwebdata.com"; dns.query; content:"virtualwebdata.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])virtualwebdata\.com$/i"; classtype:trojan-activity; sid:4091321; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e216 [tlp:white] Outgoing HTTP Domain virtualwebdata.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"virtualwebdata.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])virtualwebdata\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4091322; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert dns any any -> any any (msg: "MISP e216 [tlp:white] Domain webcodez.com"; dns.query; content:"webcodez.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])webcodez\.com$/i"; classtype:trojan-activity; sid:4091331; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e216 [tlp:white] Outgoing HTTP Domain webcodez.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"webcodez.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])webcodez\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4091332; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 184.72.1.3 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 184.72.1.3"; classtype:trojan-activity; sid:4091341; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 184.72.101.22 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 184.72.101.22"; classtype:trojan-activity; sid:4091351; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 184.72.113.55 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 184.72.113.55"; classtype:trojan-activity; sid:4091361; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 184.72.145.34 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 184.72.145.34"; classtype:trojan-activity; sid:4091371; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 184.72.209.33 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 184.72.209.33"; classtype:trojan-activity; sid:4091381; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 184.72.21.54 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 184.72.21.54"; classtype:trojan-activity; sid:4091391; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 184.72.212.52 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 184.72.212.52"; classtype:trojan-activity; sid:4091401; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 184.72.224.3 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 184.72.224.3"; classtype:trojan-activity; sid:4091411; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 184.72.229.1 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 184.72.229.1"; classtype:trojan-activity; sid:4091421; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 184.72.240.3 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 184.72.240.3"; classtype:trojan-activity; sid:4091431; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 184.72.245.1 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 184.72.245.1"; classtype:trojan-activity; sid:4091441; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 184.72.48.22 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 184.72.48.22"; classtype:trojan-activity; sid:4091451; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 20.141.48.154 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 20.141.48.154"; classtype:trojan-activity; sid:4091461; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 8.18.144.11 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 8.18.144.11"; classtype:trojan-activity; sid:4091471; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 8.18.144.12 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 8.18.144.12"; classtype:trojan-activity; sid:4091481; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 8.18.144.130 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 8.18.144.130"; classtype:trojan-activity; sid:4091491; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 8.18.144.135 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 8.18.144.135"; classtype:trojan-activity; sid:4091501; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 8.18.144.136 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 8.18.144.136"; classtype:trojan-activity; sid:4091511; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 8.18.144.149 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 8.18.144.149"; classtype:trojan-activity; sid:4091521; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 8.18.144.156 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 8.18.144.156"; classtype:trojan-activity; sid:4091531; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 8.18.144.158 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 8.18.144.158"; classtype:trojan-activity; sid:4091541; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 8.18.144.165 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 8.18.144.165"; classtype:trojan-activity; sid:4091551; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 8.18.144.170 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 8.18.144.170"; classtype:trojan-activity; sid:4091561; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 8.18.144.180 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 8.18.144.180"; classtype:trojan-activity; sid:4091571; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 8.18.144.188 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 8.18.144.188"; classtype:trojan-activity; sid:4091581; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 8.18.144.20 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 8.18.144.20"; classtype:trojan-activity; sid:4091591; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 8.18.144.40 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 8.18.144.40"; classtype:trojan-activity; sid:4091601; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 8.18.144.44 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 8.18.144.44"; classtype:trojan-activity; sid:4091611; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 8.18.144.62 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 8.18.144.62"; classtype:trojan-activity; sid:4091621; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 8.18.144.9 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 8.18.144.9"; classtype:trojan-activity; sid:4091631; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 8.18.145.131 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 8.18.145.131"; classtype:trojan-activity; sid:4091641; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 8.18.145.134 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 8.18.145.134"; classtype:trojan-activity; sid:4091651; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 8.18.145.136 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 8.18.145.136"; classtype:trojan-activity; sid:4091661; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 8.18.145.139 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 8.18.145.139"; classtype:trojan-activity; sid:4091671; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 8.18.145.150 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 8.18.145.150"; classtype:trojan-activity; sid:4091681; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 8.18.145.157 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 8.18.145.157"; classtype:trojan-activity; sid:4091691; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 8.18.145.181 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 8.18.145.181"; classtype:trojan-activity; sid:4091701; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 8.18.145.21 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 8.18.145.21"; classtype:trojan-activity; sid:4091711; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 8.18.145.3 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 8.18.145.3"; classtype:trojan-activity; sid:4091721; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 8.18.145.33 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 8.18.145.33"; classtype:trojan-activity; sid:4091731; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert ip $HOME_NET any -> 8.18.145.36 any (msg: "MISP e216 [tlp:white] Outgoing To IP: 8.18.145.36"; classtype:trojan-activity; sid:4091741; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/216;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e217 [tlp:white] Outgoing URL http|3a|//myabiggeojs.myftp.biz"; flow:to_server,established; http.header; content:"myabiggeojs.myftp.biz"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4091781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/217;) alert ip $HOME_NET any -> 185.195.79.210 any (msg: "MISP e217 [tlp:white] Outgoing To IP: 185.195.79.210"; classtype:trojan-activity; sid:4091791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/217;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e217 [tlp:white] Outgoing URL http|3a|//dirhaeednotrtup.hopto.org"; flow:to_server,established; http.header; content:"dirhaeednotrtup.hopto.org"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4091801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/217;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e217 [tlp:white] Outgoing URL http|3a|//martinluther.tk"; flow:to_server,established; http.header; content:"martinluther.tk"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4091811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/217;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e217 [tlp:white] Outgoing URL http|3a|//bushaka009.duckdns.org"; flow:to_server,established; http.header; content:"bushaka009.duckdns.org"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4091821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/217;) alert ip $HOME_NET any -> 185.19.85.156 any (msg: "MISP e217 [tlp:white] Outgoing To IP: 185.19.85.156"; classtype:trojan-activity; sid:4091831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/217;) alert dns any any -> any any (msg: "MISP e217 [tlp:white] Hostname afghphae.gotdns.ch"; dns.query; content:"afghphae.gotdns.ch"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])afghphae\.gotdns\.ch$/i"; classtype:trojan-activity; sid:4091841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/217;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e217 [tlp:white] Outgoing HTTP Hostname afghphae.gotdns.ch"; flow:to_server,established; http.header; content: "Host|3a| afghphae.gotdns.ch"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])afghphae\.gotdns\.ch[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4091842; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/217;) alert dns any any -> any any (msg: "MISP e217 [tlp:white] Hostname panarmjsdrew.gotdns.ch"; dns.query; content:"panarmjsdrew.gotdns.ch"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])panarmjsdrew\.gotdns\.ch$/i"; classtype:trojan-activity; sid:4091881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/217;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e217 [tlp:white] Outgoing HTTP Hostname panarmjsdrew.gotdns.ch"; flow:to_server,established; http.header; content: "Host|3a| panarmjsdrew.gotdns.ch"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])panarmjsdrew\.gotdns\.ch[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4091882; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/217;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e218 [tlp:white] Outgoing URL http|3a|//millsmiltinon.com/ojHYhkfkmofwendkfptktnbjgmfkgtdeitobregvdgetyhsk/Xehmigm.exe"; flow:to_server,established; http.header; content:"millsmiltinon.com"; fast_pattern; nocase; http.uri; content:"/ojHYhkfkmofwendkfptktnbjgmfkgtdeitobregvdgetyhsk/Xehmigm.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4091971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/218;) alert dns any any -> any any (msg: "MISP e218 [tlp:white] Domain millsmiltinon.com"; dns.query; content:"millsmiltinon.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])millsmiltinon\.com$/i"; classtype:trojan-activity; sid:4091981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/218;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e218 [tlp:white] Outgoing HTTP Domain millsmiltinon.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"millsmiltinon.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])millsmiltinon\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4091982; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/218;) alert ip $HOME_NET any -> 104.223.143.132 any (msg: "MISP e218 [tlp:white] Outgoing To IP: 104.223.143.132"; classtype:trojan-activity; sid:4091991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/218;) alert ip $HOME_NET any -> 68.65.122.109 any (msg: "MISP e220 [tlp:white,misp-galaxy:threat-actor="Volatile Cedar",misp-galaxy:mitre-attack-pattern="Acquire OSINT data sets and information - T1247",misp-galaxy:mitre-attack-pattern="Determine 3rd party infrastructure services - T1260",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Confluence - T1213.001",misp-galaxy:mitre-attack-pattern="Data from Local System - T1005",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="Remote access tool development - T1351",misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003"] Outgoing To IP: 68.65.122.109"; classtype:trojan-activity; sid:4092031; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/220;) alert ip $HOME_NET any -> 74.208.73.149 any (msg: "MISP e220 [tlp:white,misp-galaxy:threat-actor="Volatile Cedar",misp-galaxy:mitre-attack-pattern="Acquire OSINT data sets and information - T1247",misp-galaxy:mitre-attack-pattern="Determine 3rd party infrastructure services - T1260",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Confluence - T1213.001",misp-galaxy:mitre-attack-pattern="Data from Local System - T1005",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="Remote access tool development - T1351",misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003"] Outgoing To IP: 74.208.73.149"; classtype:trojan-activity; sid:4092041; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/220;) alert ip $HOME_NET any -> 191.101.5.183 any (msg: "MISP e220 [tlp:white,misp-galaxy:threat-actor="Volatile Cedar",misp-galaxy:mitre-attack-pattern="Acquire OSINT data sets and information - T1247",misp-galaxy:mitre-attack-pattern="Determine 3rd party infrastructure services - T1260",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Confluence - T1213.001",misp-galaxy:mitre-attack-pattern="Data from Local System - T1005",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="Remote access tool development - T1351",misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003"] Outgoing To IP: 191.101.5.183"; classtype:trojan-activity; sid:4092051; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/220;) alert ip $HOME_NET any -> 198.101.242.72 any (msg: "MISP e220 [tlp:white,misp-galaxy:threat-actor="Volatile Cedar",misp-galaxy:mitre-attack-pattern="Acquire OSINT data sets and information - T1247",misp-galaxy:mitre-attack-pattern="Determine 3rd party infrastructure services - T1260",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Confluence - T1213.001",misp-galaxy:mitre-attack-pattern="Data from Local System - T1005",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="Remote access tool development - T1351",misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003"] Outgoing To IP: 198.101.242.72"; classtype:trojan-activity; sid:4092061; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/220;) alert ip $HOME_NET any -> 169.50.13.61 any (msg: "MISP e220 [tlp:white,misp-galaxy:threat-actor="Volatile Cedar",misp-galaxy:mitre-attack-pattern="Acquire OSINT data sets and information - T1247",misp-galaxy:mitre-attack-pattern="Determine 3rd party infrastructure services - T1260",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Confluence - T1213.001",misp-galaxy:mitre-attack-pattern="Data from Local System - T1005",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="Remote access tool development - T1351",misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003"] Outgoing To IP: 169.50.13.61"; classtype:trojan-activity; sid:4092071; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/220;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e221 [tlp:white] Outgoing URL https|3a|//br0vvnn.io"; tls.sni; content:"br0vvnn.io"; tag:session,600,seconds; classtype:trojan-activity; sid:4092341; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/221;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e221 [tlp:white] Outgoing URL https|3a|//blog.br0vvnn.io"; tls.sni; content:"blog.br0vvnn.io"; tag:session,600,seconds; classtype:trojan-activity; sid:4092351; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/221;) alert dns any any -> any any (msg: "MISP e221 [tlp:white] Domain codevexillium.org"; dns.query; content:"codevexillium.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])codevexillium\.org$/i"; classtype:trojan-activity; sid:4092361; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/221;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e221 [tlp:white] Outgoing HTTP Domain codevexillium.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"codevexillium.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])codevexillium\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4092362; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/221;) alert dns any any -> any any (msg: "MISP e221 [tlp:white] Domain angeldonationblog.com"; dns.query; content:"angeldonationblog.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])angeldonationblog\.com$/i"; classtype:trojan-activity; sid:4092371; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/221;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e221 [tlp:white] Outgoing HTTP Domain angeldonationblog.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"angeldonationblog.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])angeldonationblog\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4092372; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/221;) alert dns any any -> any any (msg: "MISP e221 [tlp:white] Domain investbooking.de"; dns.query; content:"investbooking.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])investbooking\.de$/i"; classtype:trojan-activity; sid:4092381; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/221;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e221 [tlp:white] Outgoing HTTP Domain investbooking.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"investbooking.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])investbooking\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4092382; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/221;) alert dns any any -> any any (msg: "MISP e221 [tlp:white] Domain krakenfolio.com"; dns.query; content:"krakenfolio.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])krakenfolio\.com$/i"; classtype:trojan-activity; sid:4092391; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/221;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e221 [tlp:white] Outgoing HTTP Domain krakenfolio.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"krakenfolio.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])krakenfolio\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4092392; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/221;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e221 [tlp:white] Outgoing URL https|3a|//codevexillium.org/image/download/download.asp"; tls.sni; content:"codevexillium.org"; tag:session,600,seconds; classtype:trojan-activity; sid:4092401; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/221;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e221 [tlp:white] Outgoing URL https|3a|//angeldonationblog.com/image/upload/upload.php"; tls.sni; content:"angeldonationblog.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4092411; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/221;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e221 [tlp:white] Outgoing URL https|3a|//www.dronerc.it/shop_testbr/Core/upload.php"; tls.sni; content:"www.dronerc.it"; tag:session,600,seconds; classtype:trojan-activity; sid:4092421; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/221;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e221 [tlp:white] Outgoing URL https|3a|//www.dronerc.it/forum/uploads/index.php"; tls.sni; content:"www.dronerc.it"; tag:session,600,seconds; classtype:trojan-activity; sid:4092431; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/221;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e221 [tlp:white] Outgoing URL https|3a|//www.dronerc.it/shop_testbr/upload/upload.php"; tls.sni; content:"www.dronerc.it"; tag:session,600,seconds; classtype:trojan-activity; sid:4092441; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/221;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e221 [tlp:white] Outgoing URL https|3a|//www.edujikim.com/intro/blue/insert.asp"; tls.sni; content:"www.edujikim.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4092451; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/221;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e221 [tlp:white] Outgoing URL https|3a|//investbooking.de/upload/upload.asp"; tls.sni; content:"investbooking.de"; tag:session,600,seconds; classtype:trojan-activity; sid:4092461; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/221;) alert dns any any -> any any (msg: "MISP e221 [tlp:white] Domain vir.it"; dns.query; content:"vir.it"; nocase; pcre: "/(^|[^A-Za-z0-9-])vir\.it$/i"; classtype:trojan-activity; sid:4092921; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/221;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e221 [tlp:white] Outgoing HTTP Domain vir.it"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vir.it"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vir\.it[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4092922; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/221;) alert dns any any -> any any (msg: "MISP e222 [tlp:white] Domain aktel.org"; dns.query; content:"aktel.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])aktel\.org$/i"; classtype:trojan-activity; sid:4093251; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/222;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e222 [tlp:white] Outgoing HTTP Domain aktel.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aktel.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aktel\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4093252; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/222;) alert dns any any -> any any (msg: "MISP e222 [tlp:white] Domain bkashagent.com"; dns.query; content:"bkashagent.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bkashagent\.com$/i"; classtype:trojan-activity; sid:4093261; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/222;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e222 [tlp:white] Outgoing HTTP Domain bkashagent.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bkashagent.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bkashagent\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4093262; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/222;) alert dns any any -> any any (msg: "MISP e222 [tlp:white] Domain bkash.club"; dns.query; content:"bkash.club"; nocase; pcre: "/(^|[^A-Za-z0-9-])bkash\.club$/i"; classtype:trojan-activity; sid:4093271; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/222;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e222 [tlp:white] Outgoing HTTP Domain bkash.club"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bkash.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bkash\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4093272; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/222;) alert dns any any -> any any (msg: "MISP e222 [tlp:white] Domain corona-bd.com"; dns.query; content:"corona-bd.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])corona\-bd\.com$/i"; classtype:trojan-activity; sid:4093281; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/222;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e222 [tlp:white] Outgoing HTTP Domain corona-bd.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"corona-bd.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])corona\-bd\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4093282; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/222;) alert dns any any -> any any (msg: "MISP e222 [tlp:white] Domain imei.today"; dns.query; content:"imei.today"; nocase; pcre: "/(^|[^A-Za-z0-9-])imei\.today$/i"; classtype:trojan-activity; sid:4093291; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/222;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e222 [tlp:white] Outgoing HTTP Domain imei.today"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"imei.today"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])imei\.today[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4093292; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/222;) alert dns any any -> any any (msg: "MISP e222 [tlp:white] Domain mybnp.club"; dns.query; content:"mybnp.club"; nocase; pcre: "/(^|[^A-Za-z0-9-])mybnp\.club$/i"; classtype:trojan-activity; sid:4093301; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/222;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e222 [tlp:white] Outgoing HTTP Domain mybnp.club"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mybnp.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mybnp\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4093302; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/222;) alert dns any any -> any any (msg: "MISP e222 [tlp:white] Domain zepode.online"; dns.query; content:"zepode.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])zepode\.online$/i"; classtype:trojan-activity; sid:4093311; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/222;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e222 [tlp:white] Outgoing HTTP Domain zepode.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"zepode.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])zepode\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4093312; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/222;) alert dns any any -> any any (msg: "MISP e222 [tlp:white] Domain c0mputer.xyz"; dns.query; content:"c0mputer.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])c0mputer\.xyz$/i"; classtype:trojan-activity; sid:4093321; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/222;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e222 [tlp:white] Outgoing HTTP Domain c0mputer.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"c0mputer.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])c0mputer\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4093322; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/222;) alert dns any any -> any any (msg: "MISP e222 [tlp:white] Domain piramidewebs.com"; dns.query; content:"piramidewebs.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])piramidewebs\.com$/i"; classtype:trojan-activity; sid:4093331; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/222;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e222 [tlp:white] Outgoing HTTP Domain piramidewebs.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"piramidewebs.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])piramidewebs\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4093332; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/222;) alert ip $HOME_NET any -> 94.130.110.78 any (msg: "MISP e222 [tlp:white] Outgoing To IP: 94.130.110.78"; classtype:trojan-activity; sid:4093341; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/222;) alert ip $HOME_NET any -> 107.180.72.97 any (msg: "MISP e222 [tlp:white] Outgoing To IP: 107.180.72.97"; classtype:trojan-activity; sid:4093351; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/222;) alert ip $HOME_NET any -> 107.180.73.34 any (msg: "MISP e222 [tlp:white] Outgoing To IP: 107.180.73.34"; classtype:trojan-activity; sid:4093361; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/222;) alert ip $HOME_NET any -> 107.180.73.135 any (msg: "MISP e222 [tlp:white] Outgoing To IP: 107.180.73.135"; classtype:trojan-activity; sid:4093371; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/222;) alert ip $HOME_NET any -> 116.203.37.39 any (msg: "MISP e222 [tlp:white] Outgoing To IP: 116.203.37.39"; classtype:trojan-activity; sid:4093381; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/222;) alert ip $HOME_NET any -> 134.122.120.22 any (msg: "MISP e222 [tlp:white] Outgoing To IP: 134.122.120.22"; classtype:trojan-activity; sid:4093391; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/222;) alert ip $HOME_NET any -> 103.77.192.219 any (msg: "MISP e223 [tlp:white] Outgoing To IP: 103.77.192.219"; classtype:trojan-activity; sid:4093571; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/223;) alert ip $HOME_NET any -> 104.140.114.110 any (msg: "MISP e223 [tlp:white] Outgoing To IP: 104.140.114.110"; classtype:trojan-activity; sid:4093581; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/223;) alert ip $HOME_NET any -> 104.250.191.110 any (msg: "MISP e223 [tlp:white] Outgoing To IP: 104.250.191.110"; classtype:trojan-activity; sid:4093591; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/223;) alert ip $HOME_NET any -> 108.61.246.56 any (msg: "MISP e223 [tlp:white] Outgoing To IP: 108.61.246.56"; classtype:trojan-activity; sid:4093601; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/223;) alert ip $HOME_NET any -> 149.28.14.163 any (msg: "MISP e223 [tlp:white] Outgoing To IP: 149.28.14.163"; classtype:trojan-activity; sid:4093611; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/223;) alert ip $HOME_NET any -> 157.230.221.198 any (msg: "MISP e223 [tlp:white] Outgoing To IP: 157.230.221.198"; classtype:trojan-activity; sid:4093621; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/223;) alert ip $HOME_NET any -> 167.99.168.251 any (msg: "MISP e223 [tlp:white] Outgoing To IP: 167.99.168.251"; classtype:trojan-activity; sid:4093631; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/223;) alert ip $HOME_NET any -> 185.250.151.72 any (msg: "MISP e223 [tlp:white] Outgoing To IP: 185.250.151.72"; classtype:trojan-activity; sid:4093641; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/223;) alert ip $HOME_NET any -> 192.81.208.169 any (msg: "MISP e223 [tlp:white] Outgoing To IP: 192.81.208.169"; classtype:trojan-activity; sid:4093651; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/223;) alert ip $HOME_NET any -> 203.160.69.66 any (msg: "MISP e223 [tlp:white] Outgoing To IP: 203.160.69.66"; classtype:trojan-activity; sid:4093661; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/223;) alert ip $HOME_NET any -> 211.56.98.146 any (msg: "MISP e223 [tlp:white] Outgoing To IP: 211.56.98.146"; classtype:trojan-activity; sid:4093671; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/223;) alert ip $HOME_NET any -> 5.254.43.18 any (msg: "MISP e223 [tlp:white] Outgoing To IP: 5.254.43.18"; classtype:trojan-activity; sid:4093681; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/223;) alert ip $HOME_NET any -> 5.2.69.14 any (msg: "MISP e223 [tlp:white] Outgoing To IP: 5.2.69.14"; classtype:trojan-activity; sid:4093691; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/223;) alert ip $HOME_NET any -> 80.92.205.81 any (msg: "MISP e223 [tlp:white] Outgoing To IP: 80.92.205.81"; classtype:trojan-activity; sid:4093701; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/223;) alert ip $HOME_NET any -> 91.192.103.43 any (msg: "MISP e223 [tlp:white] Outgoing To IP: 91.192.103.43"; classtype:trojan-activity; sid:4093711; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/223;) alert ip $HOME_NET any -> 104.248.49.97 any (msg: "MISP e223 [tlp:white] Outgoing To IP: 104.248.49.97"; classtype:trojan-activity; sid:4093941; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/223;) alert ip $HOME_NET any -> 112.66.255.71 any (msg: "MISP e223 [tlp:white] Outgoing To IP: 112.66.255.71"; classtype:trojan-activity; sid:4093951; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/223;) alert ip $HOME_NET any -> 139.59.56.239 any (msg: "MISP e223 [tlp:white] Outgoing To IP: 139.59.56.239"; classtype:trojan-activity; sid:4093961; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/223;) alert ip $HOME_NET any -> 161.35.1.207 any (msg: "MISP e223 [tlp:white] Outgoing To IP: 161.35.1.207"; classtype:trojan-activity; sid:4093971; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/223;) alert ip $HOME_NET any -> 161.35.1.225 any (msg: "MISP e223 [tlp:white] Outgoing To IP: 161.35.1.225"; classtype:trojan-activity; sid:4093981; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/223;) alert ip $HOME_NET any -> 161.35.45.41 any (msg: "MISP e223 [tlp:white] Outgoing To IP: 161.35.45.41"; classtype:trojan-activity; sid:4093991; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/223;) alert ip $HOME_NET any -> 161.35.51.41 any (msg: "MISP e223 [tlp:white] Outgoing To IP: 161.35.51.41"; classtype:trojan-activity; sid:4094001; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/223;) alert ip $HOME_NET any -> 161.35.76.1 any (msg: "MISP e223 [tlp:white] Outgoing To IP: 161.35.76.1"; classtype:trojan-activity; sid:4094011; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/223;) alert ip $HOME_NET any -> 167.99.239.29 any (msg: "MISP e223 [tlp:white] Outgoing To IP: 167.99.239.29"; classtype:trojan-activity; sid:4094021; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/223;) alert ip $HOME_NET any -> 165.232.154.116 any (msg: "MISP e223 [tlp:white] Outgoing To IP: 165.232.154.116"; classtype:trojan-activity; sid:4094031; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/223;) alert ip $HOME_NET any -> 182.18.152.105 any (msg: "MISP e223 [tlp:white] Outgoing To IP: 182.18.152.105"; classtype:trojan-activity; sid:4094041; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/223;) alert ip $HOME_NET any -> 188.166.162.201 any (msg: "MISP e223 [tlp:white] Outgoing To IP: 188.166.162.201"; classtype:trojan-activity; sid:4094051; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/223;) alert ip $HOME_NET any -> 194.87.69.35 any (msg: "MISP e223 [tlp:white] Outgoing To IP: 194.87.69.35"; classtype:trojan-activity; sid:4094061; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/223;) alert ip $HOME_NET any -> 45.77.252.175 any (msg: "MISP e223 [tlp:white] Outgoing To IP: 45.77.252.175"; classtype:trojan-activity; sid:4094071; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/223;) alert ip $HOME_NET any -> 77.61.36.169 any (msg: "MISP e223 [tlp:white] Outgoing To IP: 77.61.36.169"; classtype:trojan-activity; sid:4094081; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/223;) alert ip $HOME_NET any -> 86.105.18.116 any (msg: "MISP e223 [tlp:white] Outgoing To IP: 86.105.18.116"; classtype:trojan-activity; sid:4094091; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/223;) alert ip $HOME_NET any -> 89.34.111.11 any (msg: "MISP e223 [tlp:white] Outgoing To IP: 89.34.111.11"; classtype:trojan-activity; sid:4094101; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/223;) alert dns any any -> any any (msg: "MISP e224 [tlp:white] Domain kelvinso412.com"; dns.query; content:"kelvinso412.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])kelvinso412\.com$/i"; classtype:trojan-activity; sid:4094111; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/224;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e224 [tlp:white] Outgoing HTTP Domain kelvinso412.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kelvinso412.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kelvinso412\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4094112; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/224;) alert dns any any -> any any (msg: "MISP e224 [tlp:white] Domain kelvinso45.com"; dns.query; content:"kelvinso45.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])kelvinso45\.com$/i"; classtype:trojan-activity; sid:4094121; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/224;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e224 [tlp:white] Outgoing HTTP Domain kelvinso45.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kelvinso45.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kelvinso45\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4094122; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/224;) alert dns any any -> any any (msg: "MISP e224 [tlp:white] Domain kelvinso4.com"; dns.query; content:"kelvinso4.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])kelvinso4\.com$/i"; classtype:trojan-activity; sid:4094131; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/224;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e224 [tlp:white] Outgoing HTTP Domain kelvinso4.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kelvinso4.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kelvinso4\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4094132; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/224;) alert dns any any -> any any (msg: "MISP e224 [tlp:white] Domain kelvinsoirnt98.com"; dns.query; content:"kelvinsoirnt98.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])kelvinsoirnt98\.com$/i"; classtype:trojan-activity; sid:4094141; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/224;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e224 [tlp:white] Outgoing HTTP Domain kelvinsoirnt98.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kelvinsoirnt98.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kelvinsoirnt98\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4094142; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/224;) alert dns any any -> any any (msg: "MISP e224 [tlp:white] Domain ophenhand.org"; dns.query; content:"ophenhand.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])ophenhand\.org$/i"; classtype:trojan-activity; sid:4094151; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/224;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e224 [tlp:white] Outgoing HTTP Domain ophenhand.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ophenhand.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ophenhand\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4094152; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/224;) alert dns any any -> any any (msg: "MISP e224 [tlp:white] Domain penguinsac.com"; dns.query; content:"penguinsac.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])penguinsac\.com$/i"; classtype:trojan-activity; sid:4094161; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/224;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e224 [tlp:white] Outgoing HTTP Domain penguinsac.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"penguinsac.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])penguinsac\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4094162; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/224;) alert dns any any -> any any (msg: "MISP e224 [tlp:white] Domain minorleage.top"; dns.query; content:"minorleage.top"; nocase; pcre: "/(^|[^A-Za-z0-9-])minorleage\.top$/i"; classtype:trojan-activity; sid:4094171; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/224;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e224 [tlp:white] Outgoing HTTP Domain minorleage.top"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"minorleage.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])minorleage\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4094172; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/224;) alert dns any any -> any any (msg: "MISP e224 [tlp:white] Domain 69av19.xyz"; dns.query; content:"69av19.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])69av19\.xyz$/i"; classtype:trojan-activity; sid:4094181; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/224;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e224 [tlp:white] Outgoing HTTP Domain 69av19.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"69av19.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])69av19\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4094182; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/224;) alert dns any any -> any any (msg: "MISP e224 [tlp:white] Domain 99s13.xyz"; dns.query; content:"99s13.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])99s13\.xyz$/i"; classtype:trojan-activity; sid:4094191; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/224;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e224 [tlp:white] Outgoing HTTP Domain 99s13.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"99s13.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])99s13\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4094192; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/224;) alert dns any any -> any any (msg: "MISP e224 [tlp:white] Domain cc222.com"; dns.query; content:"cc222.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])cc222\.com$/i"; classtype:trojan-activity; sid:4094201; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/224;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e224 [tlp:white] Outgoing HTTP Domain cc222.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cc222.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cc222\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4094202; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/224;) alert dns any any -> any any (msg: "MISP e224 [tlp:white] Domain fs10.xyz"; dns.query; content:"fs10.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])fs10\.xyz$/i"; classtype:trojan-activity; sid:4094211; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/224;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e224 [tlp:white] Outgoing HTTP Domain fs10.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fs10.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fs10\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4094212; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/224;) alert dns any any -> any any (msg: "MISP e224 [tlp:white] Domain hfcclixb.xyz"; dns.query; content:"hfcclixb.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])hfcclixb\.xyz$/i"; classtype:trojan-activity; sid:4094221; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/224;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e224 [tlp:white] Outgoing HTTP Domain hfcclixb.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hfcclixb.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hfcclixb\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4094222; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/224;) alert dns any any -> any any (msg: "MISP e224 [tlp:white] Domain hobbytoypark.com"; dns.query; content:"hobbytoypark.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])hobbytoypark\.com$/i"; classtype:trojan-activity; sid:4094231; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/224;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e224 [tlp:white] Outgoing HTTP Domain hobbytoypark.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hobbytoypark.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hobbytoypark\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4094232; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/224;) alert dns any any -> any any (msg: "MISP e224 [tlp:white] Domain jemstutoring.com"; dns.query; content:"jemstutoring.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])jemstutoring\.com$/i"; classtype:trojan-activity; sid:4094241; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/224;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e224 [tlp:white] Outgoing HTTP Domain jemstutoring.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jemstutoring.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jemstutoring\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4094242; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/224;) alert dns any any -> any any (msg: "MISP e224 [tlp:white] Domain krk13pearland.com"; dns.query; content:"krk13pearland.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])krk13pearland\.com$/i"; classtype:trojan-activity; sid:4094251; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/224;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e224 [tlp:white] Outgoing HTTP Domain krk13pearland.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"krk13pearland.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])krk13pearland\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4094252; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/224;) alert dns any any -> any any (msg: "MISP e224 [tlp:white] Domain theav9.xyz"; dns.query; content:"theav9.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])theav9\.xyz$/i"; classtype:trojan-activity; sid:4094261; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/224;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e224 [tlp:white] Outgoing HTTP Domain theav9.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"theav9.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])theav9\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4094262; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/224;) alert tls any any -> any any (msg: "MISP e224 [tlp:white] JA3 Hash: 6312930a139fa3ed22b87abb75c16afa"; ja3.hash; content:"6312930a139fa3ed22b87abb75c16afa"; fast_pattern; tag:session,600,seconds; classtype:trojan-activity; sid:4094321; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/224;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e225 [misp-galaxy:ransomware="Darkside",tlp:white] Outgoing URL http|3a|//sol-doc.xyz/sol/ID-482875588"; flow:to_server,established; http.header; content:"sol-doc.xyz"; fast_pattern; nocase; http.uri; content:"/sol/ID-482875588"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4094721; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/225;) alert dns any any -> any any (msg: "MISP e225 [misp-galaxy:ransomware="Darkside",tlp:white] Domain sol-doc.xyz"; dns.query; content:"sol-doc.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])sol\-doc\.xyz$/i"; classtype:trojan-activity; sid:4094731; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/225;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e225 [misp-galaxy:ransomware="Darkside",tlp:white] Outgoing HTTP Domain sol-doc.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sol-doc.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sol\-doc\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4094732; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/225;) alert dns any any -> any any (msg: "MISP e225 [misp-galaxy:ransomware="Darkside",tlp:white] Domain los-web.xyz"; dns.query; content:"los-web.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])los\-web\.xyz$/i"; classtype:trojan-activity; sid:4094741; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/225;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e225 [misp-galaxy:ransomware="Darkside",tlp:white] Outgoing HTTP Domain los-web.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"los-web.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])los\-web\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4094742; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/225;) alert dns any any -> any any (msg: "MISP e225 [misp-galaxy:ransomware="Darkside",tlp:white] Domain koliz.xyz"; dns.query; content:"koliz.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])koliz\.xyz$/i"; classtype:trojan-activity; sid:4094751; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/225;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e225 [misp-galaxy:ransomware="Darkside",tlp:white] Outgoing HTTP Domain koliz.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"koliz.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])koliz\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4094752; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/225;) alert ip $HOME_NET any -> 81.91.177.54 any (msg: "MISP e225 [misp-galaxy:ransomware="Darkside",tlp:white] Outgoing To IP: 81.91.177.54"; classtype:trojan-activity; sid:4094761; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/225;) alert ip $HOME_NET any -> 73.234.155.208 any (msg: "MISP e225 [misp-galaxy:ransomware="Darkside",tlp:white] Outgoing To IP: 73.234.155.208"; classtype:trojan-activity; sid:4094771; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/225;) alert ip $HOME_NET any -> 104.193.252.197 443 (msg: "MISP e225 [misp-galaxy:ransomware="Darkside",tlp:white] Outgoing To IP: 104.193.252.197|443"; classtype:trojan-activity; sid:4094781; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/225;) alert ip $HOME_NET any -> 162.244.81.253 443 (msg: "MISP e225 [misp-galaxy:ransomware="Darkside",tlp:white] Outgoing To IP: 162.244.81.253|443"; classtype:trojan-activity; sid:4094791; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/225;) alert ip $HOME_NET any -> 185.180.197.86 443 (msg: "MISP e225 [misp-galaxy:ransomware="Darkside",tlp:white] Outgoing To IP: 185.180.197.86|443"; classtype:trojan-activity; sid:4094801; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/225;) alert dns any any -> any any (msg: "MISP e225 [misp-galaxy:ransomware="Darkside",tlp:white] Domain athaliaoriginals.com"; dns.query; content:"athaliaoriginals.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])athaliaoriginals\.com$/i"; classtype:trojan-activity; sid:4094811; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/225;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e225 [misp-galaxy:ransomware="Darkside",tlp:white] Outgoing HTTP Domain athaliaoriginals.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"athaliaoriginals.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])athaliaoriginals\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4094812; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/225;) alert dns any any -> any any (msg: "MISP e225 [misp-galaxy:ransomware="Darkside",tlp:white] Domain lagrom.com"; dns.query; content:"lagrom.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])lagrom\.com$/i"; classtype:trojan-activity; sid:4094821; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/225;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e225 [misp-galaxy:ransomware="Darkside",tlp:white] Outgoing HTTP Domain lagrom.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lagrom.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lagrom\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4094822; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/225;) alert dns any any -> any any (msg: "MISP e225 [misp-galaxy:ransomware="Darkside",tlp:white] Hostname ctxinit.azureedge.net"; dns.query; content:"ctxinit.azureedge.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ctxinit\.azureedge\.net$/i"; classtype:trojan-activity; sid:4094831; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/225;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e225 [misp-galaxy:ransomware="Darkside",tlp:white] Outgoing HTTP Hostname ctxinit.azureedge.net"; flow:to_server,established; http.header; content: "Host|3a| ctxinit.azureedge.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ctxinit\.azureedge\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4094832; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/225;) alert ip $HOME_NET any -> 45.77.64.111 any (msg: "MISP e225 [misp-galaxy:ransomware="Darkside",tlp:white] Outgoing To IP: 45.77.64.111"; classtype:trojan-activity; sid:4094841; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/225;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e225 [misp-galaxy:ransomware="Darkside",tlp:white] Outgoing URL https|3a|//104.193.252.197|3a|443/"; tls.sni; content:"104.193.252.197"; tag:session,600,seconds; classtype:trojan-activity; sid:4094861; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/225;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e225 [misp-galaxy:ransomware="Darkside",tlp:white] Outgoing URL https|3a|//162.244.81.253|3a|443/"; tls.sni; content:"162.244.81.253"; tag:session,600,seconds; classtype:trojan-activity; sid:4094871; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/225;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e225 [misp-galaxy:ransomware="Darkside",tlp:white] Outgoing URL https|3a|//185.180.197.86|3a|443/"; tls.sni; content:"185.180.197.86"; tag:session,600,seconds; classtype:trojan-activity; sid:4094881; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/225;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e225 [misp-galaxy:ransomware="Darkside",tlp:white] Outgoing URL https|3a|//athaliaoriginals.com/"; tls.sni; content:"athaliaoriginals.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4094891; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/225;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e225 [misp-galaxy:ransomware="Darkside",tlp:white] Outgoing URL https|3a|//lagrom.com|3a|443/font.html"; tls.sni; content:"lagrom.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4094901; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/225;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e225 [misp-galaxy:ransomware="Darkside",tlp:white] Outgoing URL https|3a|//lagrom.com|3a|443/night.html"; tls.sni; content:"lagrom.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4094911; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/225;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e225 [misp-galaxy:ransomware="Darkside",tlp:white] Outgoing URL https|3a|//lagrom.com|3a|443/online.html"; tls.sni; content:"lagrom.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4094921; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/225;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e225 [misp-galaxy:ransomware="Darkside",tlp:white] Outgoing URL https|3a|//lagrom.com|3a|443/send.html"; tls.sni; content:"lagrom.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4094931; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/225;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e225 [misp-galaxy:ransomware="Darkside",tlp:white] Outgoing URL https|3a|//lagrom.com/find.html?key=id#-"; tls.sni; content:"lagrom.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4094941; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/225;) alert dns any any -> any any (msg: "MISP e226 [misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002",misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002",misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:malpedia="Conti",tlp:white] Domain vaclicinni.xyz"; dns.query; content:"vaclicinni.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])vaclicinni\.xyz$/i"; classtype:trojan-activity; sid:4095101; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/226;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e226 [misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002",misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002",misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:malpedia="Conti",tlp:white] Outgoing HTTP Domain vaclicinni.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vaclicinni.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vaclicinni\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4095102; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/226;) alert dns any any -> any any (msg: "MISP e226 [misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002",misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002",misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:malpedia="Conti",tlp:white] Domain thulleultinn.club"; dns.query; content:"thulleultinn.club"; nocase; pcre: "/(^|[^A-Za-z0-9-])thulleultinn\.club$/i"; classtype:trojan-activity; sid:4095111; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/226;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e226 [misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002",misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002",misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:malpedia="Conti",tlp:white] Outgoing HTTP Domain thulleultinn.club"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"thulleultinn.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])thulleultinn\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4095112; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/226;) alert dns any any -> any any (msg: "MISP e226 [misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002",misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002",misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:malpedia="Conti",tlp:white] Domain oxythuler.cyou"; dns.query; content:"oxythuler.cyou"; nocase; pcre: "/(^|[^A-Za-z0-9-])oxythuler\.cyou$/i"; classtype:trojan-activity; sid:4095121; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/226;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e226 [misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002",misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002",misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:malpedia="Conti",tlp:white] Outgoing HTTP Domain oxythuler.cyou"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"oxythuler.cyou"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])oxythuler\.cyou[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4095122; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/226;) alert dns any any -> any any (msg: "MISP e226 [misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002",misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002",misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:malpedia="Conti",tlp:white] Domain dictorecovery.cyou"; dns.query; content:"dictorecovery.cyou"; nocase; pcre: "/(^|[^A-Za-z0-9-])dictorecovery\.cyou$/i"; classtype:trojan-activity; sid:4095131; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/226;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e226 [misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002",misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002",misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:malpedia="Conti",tlp:white] Outgoing HTTP Domain dictorecovery.cyou"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dictorecovery.cyou"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dictorecovery\.cyou[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4095132; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/226;) alert dns any any -> any any (msg: "MISP e226 [misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002",misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002",misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:malpedia="Conti",tlp:white] Domain expertulthima.club"; dns.query; content:"expertulthima.club"; nocase; pcre: "/(^|[^A-Za-z0-9-])expertulthima\.club$/i"; classtype:trojan-activity; sid:4095141; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/226;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e226 [misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002",misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002",misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:malpedia="Conti",tlp:white] Outgoing HTTP Domain expertulthima.club"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"expertulthima.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])expertulthima\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4095142; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/226;) alert ip $HOME_NET any -> 68.183.20.194 80 (msg: "MISP e226 [misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002",misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002",misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:malpedia="Conti",tlp:white] Outgoing To IP: 68.183.20.194|80"; classtype:trojan-activity; sid:4095151; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/226;) alert ip $HOME_NET any -> 159.89.140.116 443 (msg: "MISP e226 [misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002",misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002",misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:malpedia="Conti",tlp:white] Outgoing To IP: 159.89.140.116|443"; classtype:trojan-activity; sid:4095161; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/226;) alert ip $HOME_NET any -> 83.97.20.160 443 (msg: "MISP e226 [misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002",misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002",misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:malpedia="Conti",tlp:white] Outgoing To IP: 83.97.20.160|443"; classtype:trojan-activity; sid:4095171; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/226;) alert dns any any -> any any (msg: "MISP e226 [misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002",misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002",misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:malpedia="Conti",tlp:white] Domain dimentos.com"; dns.query; content:"dimentos.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])dimentos\.com$/i"; classtype:trojan-activity; sid:4095181; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/226;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e226 [misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002",misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002",misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:malpedia="Conti",tlp:white] Outgoing HTTP Domain dimentos.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dimentos.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dimentos\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4095182; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/226;) alert ip $HOME_NET any -> 192.99.178.145 80 (msg: "MISP e226 [misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002",misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002",misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:malpedia="Conti",tlp:white] Outgoing To IP: 192.99.178.145|80"; classtype:trojan-activity; sid:4095191; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/226;) alert ip $HOME_NET any -> 38.135.122.194 8080 (msg: "MISP e226 [misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002",misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002",misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:malpedia="Conti",tlp:white] Outgoing To IP: 38.135.122.194|8080"; classtype:trojan-activity; sid:4095201; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/226;) alert ip $HOME_NET any -> 185.243.214.107 any (msg: "MISP e229 [tlp:white,misp-galaxy:ransomware="Darkside"] Outgoing To IP: 185.243.214.107"; classtype:trojan-activity; sid:4095791; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/229;) alert ip $HOME_NET any -> 64.32.25.202 any (msg: "MISP e231 [tlp:white] Outgoing To IP: 64.32.25.202"; classtype:trojan-activity; sid:4096831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/231;) alert dns any any -> any any (msg: "MISP e233 [PAP:WHITE,course-of-action:passive="detect",course-of-action:active="deny",tlp:white,misp-galaxy:ransomware="Darkside",dhs-ciip-sectors:DHS-critical-sectors="energy"] Domain catsdegree.com"; dns.query; content:"catsdegree.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])catsdegree\.com$/i"; classtype:trojan-activity; sid:4097541; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/233;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e233 [PAP:WHITE,course-of-action:passive="detect",course-of-action:active="deny",tlp:white,misp-galaxy:ransomware="Darkside",dhs-ciip-sectors:DHS-critical-sectors="energy"] Outgoing HTTP Domain catsdegree.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"catsdegree.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])catsdegree\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4097542; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/233;) alert ip $HOME_NET any -> 99.83.154.118 any (msg: "MISP e233 [PAP:WHITE,course-of-action:passive="detect",course-of-action:active="deny",tlp:white,misp-galaxy:ransomware="Darkside",dhs-ciip-sectors:DHS-critical-sectors="energy"] Outgoing To IP: 99.83.154.118"; classtype:trojan-activity; sid:4097551; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/233;) alert dns any any -> any any (msg: "MISP e233 [PAP:WHITE,course-of-action:passive="detect",course-of-action:active="deny",tlp:white,misp-galaxy:ransomware="Darkside",dhs-ciip-sectors:DHS-critical-sectors="energy"] Domain rumahsia.com"; dns.query; content:"rumahsia.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])rumahsia\.com$/i"; classtype:trojan-activity; sid:4097561; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/233;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e233 [PAP:WHITE,course-of-action:passive="detect",course-of-action:active="deny",tlp:white,misp-galaxy:ransomware="Darkside",dhs-ciip-sectors:DHS-critical-sectors="energy"] Outgoing HTTP Domain rumahsia.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"rumahsia.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])rumahsia\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4097562; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/233;) alert dns any any -> any any (msg: "MISP e233 [PAP:WHITE,course-of-action:passive="detect",course-of-action:active="deny",tlp:white,misp-galaxy:ransomware="Darkside",dhs-ciip-sectors:DHS-critical-sectors="energy"] Domain baroquetees.com"; dns.query; content:"baroquetees.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])baroquetees\.com$/i"; classtype:trojan-activity; sid:4097571; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/233;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e233 [PAP:WHITE,course-of-action:passive="detect",course-of-action:active="deny",tlp:white,misp-galaxy:ransomware="Darkside",dhs-ciip-sectors:DHS-critical-sectors="energy"] Outgoing HTTP Domain baroquetees.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"baroquetees.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])baroquetees\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4097572; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/233;) alert ip $HOME_NET any -> 176.103.62.217 any (msg: "MISP e233 [PAP:WHITE,course-of-action:passive="detect",course-of-action:active="deny",tlp:white,misp-galaxy:ransomware="Darkside",dhs-ciip-sectors:DHS-critical-sectors="energy"] Outgoing To IP: 176.103.62.217"; classtype:trojan-activity; sid:4097581; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/233;) alert dns any any -> any any (msg: "MISP e233 [PAP:WHITE,course-of-action:passive="detect",course-of-action:active="deny",tlp:white,misp-galaxy:ransomware="Darkside",dhs-ciip-sectors:DHS-critical-sectors="energy"] Domain securebestapp20.com"; dns.query; content:"securebestapp20.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])securebestapp20\.com$/i"; classtype:trojan-activity; sid:4097591; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/233;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e233 [PAP:WHITE,course-of-action:passive="detect",course-of-action:active="deny",tlp:white,misp-galaxy:ransomware="Darkside",dhs-ciip-sectors:DHS-critical-sectors="energy"] Outgoing HTTP Domain securebestapp20.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"securebestapp20.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])securebestapp20\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4097592; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/233;) alert ip $HOME_NET any -> 185.105.109.19 any (msg: "MISP e233 [PAP:WHITE,course-of-action:passive="detect",course-of-action:active="deny",tlp:white,misp-galaxy:ransomware="Darkside",dhs-ciip-sectors:DHS-critical-sectors="energy"] Outgoing To IP: 185.105.109.19"; classtype:trojan-activity; sid:4097601; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/233;) alert dns any any -> any any (msg: "MISP e233 [PAP:WHITE,course-of-action:passive="detect",course-of-action:active="deny",tlp:white,misp-galaxy:ransomware="Darkside",dhs-ciip-sectors:DHS-critical-sectors="energy"] Domain temisleyes.com"; dns.query; content:"temisleyes.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])temisleyes\.com$/i"; classtype:trojan-activity; sid:4097611; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/233;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e233 [PAP:WHITE,course-of-action:passive="detect",course-of-action:active="deny",tlp:white,misp-galaxy:ransomware="Darkside",dhs-ciip-sectors:DHS-critical-sectors="energy"] Outgoing HTTP Domain temisleyes.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"temisleyes.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])temisleyes\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4097612; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/233;) alert ip $HOME_NET any -> 198.54.117.197 any (msg: "MISP e233 [PAP:WHITE,course-of-action:passive="detect",course-of-action:active="deny",tlp:white,misp-galaxy:ransomware="Darkside",dhs-ciip-sectors:DHS-critical-sectors="energy"] Outgoing To IP: 198.54.117.197"; classtype:trojan-activity; sid:4097621; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/233;) alert http $HOME_NET any -> 110.42.4.180 2081 (msg: "MISP e234 [tlp:white] Outgoing URL http|3a|//110.42.4.180|3a|2081/u"; flow:to_server,established; http.header; content:"110.42.4.180"; fast_pattern; nocase; http.uri; content:"/u"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4097631; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/234;) alert http $HOME_NET any -> 110.42.4.180 2081 (msg: "MISP e234 [tlp:white] Outgoing URL http|3a|//110.42.4.180|3a|2081/p"; flow:to_server,established; http.header; content:"110.42.4.180"; fast_pattern; nocase; http.uri; content:"/p"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4097641; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/234;) alert http $HOME_NET any -> 110.42.4.180 2081 (msg: "MISP e234 [tlp:white] Outgoing URL http|3a|//110.42.4.180|3a|2081/h?"; flow:to_server,established; http.header; content:"110.42.4.180"; fast_pattern; nocase; http.uri; content:"/h"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4097651; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/234;) alert http $HOME_NET any -> 110.42.4.180 2081 (msg: "MISP e234 [tlp:white] Outgoing URL http|3a|//110.42.4.180|3a|2081/s"; flow:to_server,established; http.header; content:"110.42.4.180"; fast_pattern; nocase; http.uri; content:"/s"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4097661; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/234;) alert http $HOME_NET any -> 110.42.4.180 2081 (msg: "MISP e234 [tlp:white] Outgoing URL http|3a|//110.42.4.180|3a|2081/c"; flow:to_server,established; http.header; content:"110.42.4.180"; fast_pattern; nocase; http.uri; content:"/c"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4097671; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/234;) alert http $HOME_NET any -> 110.42.4.180 2081 (msg: "MISP e234 [tlp:white] Outgoing URL http|3a|//110.42.4.180|3a|2081/v?"; flow:to_server,established; http.header; content:"110.42.4.180"; fast_pattern; nocase; http.uri; content:"/v"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4097681; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/234;) alert http $HOME_NET any -> 110.42.4.180 2081 (msg: "MISP e234 [tlp:white] Outgoing URL http|3a|//110.42.4.180|3a|2081/d6"; flow:to_server,established; http.header; content:"110.42.4.180"; fast_pattern; nocase; http.uri; content:"/d6"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4097691; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/234;) alert ip $HOME_NET any -> 110.42.4.180 any (msg: "MISP e234 [tlp:white] Outgoing To IP: 110.42.4.180"; classtype:trojan-activity; sid:4097731; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/234;) alert ip $HOME_NET any -> 45.248.10.244 any (msg: "MISP e234 [tlp:white] Outgoing To IP: 45.248.10.244"; classtype:trojan-activity; sid:4097741; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/234;) alert dns any any -> any any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Hostname infodocs.kginfocom.com"; dns.query; content:"infodocs.kginfocom.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])infodocs\.kginfocom\.com$/i"; classtype:trojan-activity; sid:4099291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Outgoing HTTP Hostname infodocs.kginfocom.com"; flow:to_server,established; http.header; content: "Host|3a| infodocs.kginfocom.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])infodocs\.kginfocom\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4099292; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Outgoing URL infodocs.kginfocom.com/gin/kw.asp"; flow:to_server,established; http.uri; content:"infodocs.kginfocom.com/gin/kw.asp"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4099301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Outgoing URL infodocs.kginfocom.com/gin/tab.asp"; flow:to_server,established; http.uri; content:"infodocs.kginfocom.com/gin/tab.asp"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4099311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert dns any any -> any any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Hostname ousync.kginfocom.com"; dns.query; content:"ousync.kginfocom.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ousync\.kginfocom\.com$/i"; classtype:trojan-activity; sid:4099321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Outgoing HTTP Hostname ousync.kginfocom.com"; flow:to_server,established; http.header; content: "Host|3a| ousync.kginfocom.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ousync\.kginfocom\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4099322; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Outgoing URL ousync.kginfocom.com/sync/kw.asp"; flow:to_server,established; http.uri; content:"ousync.kginfocom.com/sync/kw.asp"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4099331; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert dns any any -> any any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Hostname uslugi.mahallafond.com"; dns.query; content:"uslugi.mahallafond.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])uslugi\.mahallafond\.com$/i"; classtype:trojan-activity; sid:4099341; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Outgoing HTTP Hostname uslugi.mahallafond.com"; flow:to_server,established; http.header; content: "Host|3a| uslugi.mahallafond.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])uslugi\.mahallafond\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4099342; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Outgoing URL uslugi.mahallafond.com/hall/kw.asp"; flow:to_server,established; http.uri; content:"uslugi.mahallafond.com/hall/kw.asp"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4099351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert dns any any -> any any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Hostname 6z98os.id597.link"; dns.query; content:"6z98os.id597.link"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])6z98os\.id597\.link$/i"; classtype:trojan-activity; sid:4099361; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Outgoing HTTP Hostname 6z98os.id597.link"; flow:to_server,established; http.header; content: "Host|3a| 6z98os.id597.link"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])6z98os\.id597\.link[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4099362; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Outgoing URL 6z98os.id597.link/css/art.asp"; flow:to_server,established; http.uri; content:"6z98os.id597.link/css/art.asp"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4099371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert dns any any -> any any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Hostname hwyigd.laccessal.org"; dns.query; content:"hwyigd.laccessal.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])hwyigd\.laccessal\.org$/i"; classtype:trojan-activity; sid:4099381; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Outgoing HTTP Hostname hwyigd.laccessal.org"; flow:to_server,established; http.header; content: "Host|3a| hwyigd.laccessal.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])hwyigd\.laccessal\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4099382; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Outgoing URL hwyigd.laccessal.org/news/art.asp"; flow:to_server,established; http.uri; content:"hwyigd.laccessal.org/news/art.asp"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4099391; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Outgoing URL hwyigd.laccessal.org/news/js.asp"; flow:to_server,established; http.uri; content:"hwyigd.laccessal.org/news/js.asp"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4099401; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert dns any any -> any any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Hostname help.2019mfa.com"; dns.query; content:"help.2019mfa.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])help\.2019mfa\.com$/i"; classtype:trojan-activity; sid:4099411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Outgoing HTTP Hostname help.2019mfa.com"; flow:to_server,established; http.header; content: "Host|3a| help.2019mfa.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])help\.2019mfa\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4099412; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Outgoing URL help.2019mfa.com/help/art.asp"; flow:to_server,established; http.uri; content:"help.2019mfa.com/help/art.asp"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4099421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert dns any any -> any any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Hostname m.usascd.com"; dns.query; content:"m.usascd.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])m\.usascd\.com$/i"; classtype:trojan-activity; sid:4099431; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Outgoing HTTP Hostname m.usascd.com"; flow:to_server,established; http.header; content: "Host|3a| m.usascd.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])m\.usascd\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4099432; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Outgoing URL m.usascd.com/uss/word.asp"; flow:to_server,established; http.uri; content:"m.usascd.com/uss/word.asp"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4099441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert dns any any -> any any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Hostname ns01-mfa.ungov.org"; dns.query; content:"ns01-mfa.ungov.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ns01\-mfa\.ungov\.org$/i"; classtype:trojan-activity; sid:4099451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Outgoing HTTP Hostname ns01-mfa.ungov.org"; flow:to_server,established; http.header; content: "Host|3a| ns01-mfa.ungov.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ns01\-mfa\.ungov\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4099452; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Outgoing URL ns01-mfa.ungov.org/un/art.asp"; flow:to_server,established; http.uri; content:"ns01-mfa.ungov.org/un/art.asp"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4099461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert dns any any -> any any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Hostname dcc.ungov.org"; dns.query; content:"dcc.ungov.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dcc\.ungov\.org$/i"; classtype:trojan-activity; sid:4099471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Outgoing HTTP Hostname dcc.ungov.org"; flow:to_server,established; http.header; content: "Host|3a| dcc.ungov.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dcc\.ungov\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4099472; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Outgoing URL dcc.ungov.org/crss/art.asp"; flow:to_server,established; http.uri; content:"dcc.ungov.org/crss/art.asp"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4099481; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert dns any any -> any any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Hostname index.google-upgrade.com"; dns.query; content:"index.google-upgrade.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])index\.google\-upgrade\.com$/i"; classtype:trojan-activity; sid:4099491; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Outgoing HTTP Hostname index.google-upgrade.com"; flow:to_server,established; http.header; content: "Host|3a| index.google-upgrade.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])index\.google\-upgrade\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4099492; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Outgoing URL index.google-upgrade.com/upgrade/art.asp"; flow:to_server,established; http.uri; content:"index.google-upgrade.com/upgrade/art.asp"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4099501; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert dns any any -> any any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Hostname mofa.ungov.org"; dns.query; content:"mofa.ungov.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mofa\.ungov\.org$/i"; classtype:trojan-activity; sid:4099511; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Outgoing HTTP Hostname mofa.ungov.org"; flow:to_server,established; http.header; content: "Host|3a| mofa.ungov.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mofa\.ungov\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4099512; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Outgoing URL mofa.ungov.org/momo/art.asp"; flow:to_server,established; http.uri; content:"mofa.ungov.org/momo/art.asp"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4099521; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert dns any any -> any any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Hostname update.ictdp.com"; dns.query; content:"update.ictdp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])update\.ictdp\.com$/i"; classtype:trojan-activity; sid:4099531; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Outgoing HTTP Hostname update.ictdp.com"; flow:to_server,established; http.header; content: "Host|3a| update.ictdp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])update\.ictdp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4099532; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Outgoing URL update.ictdp.com/new/art.asp"; flow:to_server,established; http.uri; content:"update.ictdp.com/new/art.asp"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4099541; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert dns any any -> any any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Hostname post.mfa-uz.com"; dns.query; content:"post.mfa-uz.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])post\.mfa\-uz\.com$/i"; classtype:trojan-activity; sid:4099551; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Outgoing HTTP Hostname post.mfa-uz.com"; flow:to_server,established; http.header; content: "Host|3a| post.mfa-uz.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])post\.mfa\-uz\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4099552; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Outgoing URL post.mfa-uz.com/post/art.asp"; flow:to_server,established; http.uri; content:"post.mfa-uz.com/post/art.asp"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4099561; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert dns any any -> any any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Hostname cdn.muincxoil.com"; dns.query; content:"cdn.muincxoil.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cdn\.muincxoil\.com$/i"; classtype:trojan-activity; sid:4099571; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Outgoing HTTP Hostname cdn.muincxoil.com"; flow:to_server,established; http.header; content: "Host|3a| cdn.muincxoil.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cdn\.muincxoil\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4099572; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Outgoing URL cdn.muincxoil.com/cdn/js.asp"; flow:to_server,established; http.uri; content:"cdn.muincxoil.com/cdn/js.asp"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4099581; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Outgoing URL cdn.muincxoil.com/cdn/art.asp"; flow:to_server,established; http.uri; content:"cdn.muincxoil.com/cdn/art.asp"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4099591; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert dns any any -> any any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Hostname tm.2019mfa.com"; dns.query; content:"tm.2019mfa.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])tm\.2019mfa\.com$/i"; classtype:trojan-activity; sid:4099601; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Outgoing HTTP Hostname tm.2019mfa.com"; flow:to_server,established; http.header; content: "Host|3a| tm.2019mfa.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])tm\.2019mfa\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4099602; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e235 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",tlp:white] Outgoing URL tm.2019mfa.com/css/p_d.asp"; flow:to_server,established; http.uri; content:"tm.2019mfa.com/css/p_d.asp"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4099611; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/235;) alert ip $HOME_NET any -> 162.244.80.235 any (msg: "MISP e236 [misp-galaxy:ransomware="Conti",misp-galaxy:mitre-malware="Cobalt Strike - S0154",tlp:white] Outgoing To IP: 162.244.80.235"; classtype:trojan-activity; sid:4099691; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/236;) alert ip $HOME_NET any -> 85.93.88.165 any (msg: "MISP e236 [misp-galaxy:ransomware="Conti",misp-galaxy:mitre-malware="Cobalt Strike - S0154",tlp:white] Outgoing To IP: 85.93.88.165"; classtype:trojan-activity; sid:4099701; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/236;) alert ip $HOME_NET any -> 185.141.63.120 any (msg: "MISP e236 [misp-galaxy:ransomware="Conti",misp-galaxy:mitre-malware="Cobalt Strike - S0154",tlp:white] Outgoing To IP: 185.141.63.120"; classtype:trojan-activity; sid:4099711; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/236;) alert ip $HOME_NET any -> 82.118.21.1 any (msg: "MISP e236 [misp-galaxy:ransomware="Conti",misp-galaxy:mitre-malware="Cobalt Strike - S0154",tlp:white] Outgoing To IP: 82.118.21.1"; classtype:trojan-activity; sid:4099721; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/236;) alert dns any any -> any any (msg: "MISP e237 [misp-galaxy:mitre-intrusion-set="TA551 - G0127",misp-galaxy:mitre-malware="Cobalt Strike - S0154",tlp:white] Domain cousinrentals2000b.com"; dns.query; content:"cousinrentals2000b.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])cousinrentals2000b\.com$/i"; classtype:trojan-activity; sid:4099911; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/237;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e237 [misp-galaxy:mitre-intrusion-set="TA551 - G0127",misp-galaxy:mitre-malware="Cobalt Strike - S0154",tlp:white] Outgoing HTTP Domain cousinrentals2000b.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cousinrentals2000b.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cousinrentals2000b\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4099912; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/237;) alert dns any any -> any any (msg: "MISP e237 [misp-galaxy:mitre-intrusion-set="TA551 - G0127",misp-galaxy:mitre-malware="Cobalt Strike - S0154",tlp:white] Domain curtainbeild.com"; dns.query; content:"curtainbeild.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])curtainbeild\.com$/i"; classtype:trojan-activity; sid:4099921; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/237;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e237 [misp-galaxy:mitre-intrusion-set="TA551 - G0127",misp-galaxy:mitre-malware="Cobalt Strike - S0154",tlp:white] Outgoing HTTP Domain curtainbeild.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"curtainbeild.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])curtainbeild\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4099922; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/237;) alert dns any any -> any any (msg: "MISP e237 [misp-galaxy:mitre-intrusion-set="TA551 - G0127",misp-galaxy:mitre-malware="Cobalt Strike - S0154",tlp:white] Domain haleassetss.com"; dns.query; content:"haleassetss.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])haleassetss\.com$/i"; classtype:trojan-activity; sid:4099931; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/237;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e237 [misp-galaxy:mitre-intrusion-set="TA551 - G0127",misp-galaxy:mitre-malware="Cobalt Strike - S0154",tlp:white] Outgoing HTTP Domain haleassetss.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"haleassetss.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])haleassetss\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4099932; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/237;) alert dns any any -> any any (msg: "MISP e237 [misp-galaxy:mitre-intrusion-set="TA551 - G0127",misp-galaxy:mitre-malware="Cobalt Strike - S0154",tlp:white] Domain parkerarrangeg.com"; dns.query; content:"parkerarrangeg.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])parkerarrangeg\.com$/i"; classtype:trojan-activity; sid:4099941; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/237;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e237 [misp-galaxy:mitre-intrusion-set="TA551 - G0127",misp-galaxy:mitre-malware="Cobalt Strike - S0154",tlp:white] Outgoing HTTP Domain parkerarrangeg.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"parkerarrangeg.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])parkerarrangeg\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4099942; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/237;) alert dns any any -> any any (msg: "MISP e237 [misp-galaxy:mitre-intrusion-set="TA551 - G0127",misp-galaxy:mitre-malware="Cobalt Strike - S0154",tlp:white] Domain operarentals2006b.com"; dns.query; content:"operarentals2006b.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])operarentals2006b\.com$/i"; classtype:trojan-activity; sid:4099951; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/237;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e237 [misp-galaxy:mitre-intrusion-set="TA551 - G0127",misp-galaxy:mitre-malware="Cobalt Strike - S0154",tlp:white] Outgoing HTTP Domain operarentals2006b.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"operarentals2006b.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])operarentals2006b\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4099952; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/237;) alert dns any any -> any any (msg: "MISP e237 [misp-galaxy:mitre-intrusion-set="TA551 - G0127",misp-galaxy:mitre-malware="Cobalt Strike - S0154",tlp:white] Domain sunalvarezd.com"; dns.query; content:"sunalvarezd.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sunalvarezd\.com$/i"; classtype:trojan-activity; sid:4099961; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/237;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e237 [misp-galaxy:mitre-intrusion-set="TA551 - G0127",misp-galaxy:mitre-malware="Cobalt Strike - S0154",tlp:white] Outgoing HTTP Domain sunalvarezd.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sunalvarezd.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sunalvarezd\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4099962; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/237;) alert ip $HOME_NET any -> 45.95.11.158 any (msg: "MISP e237 [misp-galaxy:mitre-intrusion-set="TA551 - G0127",misp-galaxy:mitre-malware="Cobalt Strike - S0154",tlp:white] Outgoing To IP: 45.95.11.158"; classtype:trojan-activity; sid:4099971; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/237;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e237 [misp-galaxy:mitre-intrusion-set="TA551 - G0127",misp-galaxy:mitre-malware="Cobalt Strike - S0154",tlp:white] Outgoing URL https|3a|//128.199.54.51/issue/web/html"; tls.sni; content:"128.199.54.51"; tag:session,600,seconds; classtype:trojan-activity; sid:4100311; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/237;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e237 [misp-galaxy:mitre-intrusion-set="TA551 - G0127",misp-galaxy:mitre-malware="Cobalt Strike - S0154",tlp:white] Outgoing URL https|3a|//161.35.152.204/issue/web/html"; tls.sni; content:"161.35.152.204"; tag:session,600,seconds; classtype:trojan-activity; sid:4100321; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/237;) alert dns any any -> any any (msg: "MISP e237 [misp-galaxy:mitre-intrusion-set="TA551 - G0127",misp-galaxy:mitre-malware="Cobalt Strike - S0154",tlp:white] Domain xagadi.com"; dns.query; content:"xagadi.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])xagadi\.com$/i"; classtype:trojan-activity; sid:4100331; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/237;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e237 [misp-galaxy:mitre-intrusion-set="TA551 - G0127",misp-galaxy:mitre-malware="Cobalt Strike - S0154",tlp:white] Outgoing HTTP Domain xagadi.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"xagadi.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])xagadi\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4100332; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/237;) alert ip $HOME_NET any -> 23.106.223.174 any (msg: "MISP e237 [misp-galaxy:mitre-intrusion-set="TA551 - G0127",misp-galaxy:mitre-malware="Cobalt Strike - S0154",tlp:white] Outgoing To IP: 23.106.223.174"; classtype:trojan-activity; sid:4100341; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/237;) alert dns any any -> any any (msg: "MISP e238 [misp-galaxy:mitre-intrusion-set="FIN8 - G0061",tlp:white] Domain api-cdn.net"; dns.query; content:"api-cdn.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])api\-cdn\.net$/i"; classtype:trojan-activity; sid:4100381; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/238;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e238 [misp-galaxy:mitre-intrusion-set="FIN8 - G0061",tlp:white] Outgoing HTTP Domain api-cdn.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"api-cdn.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])api\-cdn\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4100382; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/238;) alert dns any any -> any any (msg: "MISP e238 [misp-galaxy:mitre-intrusion-set="FIN8 - G0061",tlp:white] Domain git-api.com"; dns.query; content:"git-api.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])git\-api\.com$/i"; classtype:trojan-activity; sid:4100391; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/238;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e238 [misp-galaxy:mitre-intrusion-set="FIN8 - G0061",tlp:white] Outgoing HTTP Domain git-api.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"git-api.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])git\-api\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4100392; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/238;) alert dns any any -> any any (msg: "MISP e238 [misp-galaxy:mitre-intrusion-set="FIN8 - G0061",tlp:white] Domain api-cdnw5.net"; dns.query; content:"api-cdnw5.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])api\-cdnw5\.net$/i"; classtype:trojan-activity; sid:4100401; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/238;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e238 [misp-galaxy:mitre-intrusion-set="FIN8 - G0061",tlp:white] Outgoing HTTP Domain api-cdnw5.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"api-cdnw5.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])api\-cdnw5\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4100402; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/238;) alert dns any any -> any any (msg: "MISP e238 [misp-galaxy:mitre-intrusion-set="FIN8 - G0061",tlp:white] Hostname 104-168-237-21.sslip.io"; dns.query; content:"104-168-237-21.sslip.io"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])104\-168\-237\-21\.sslip\.io$/i"; classtype:trojan-activity; sid:4100411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/238;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e238 [misp-galaxy:mitre-intrusion-set="FIN8 - G0061",tlp:white] Outgoing HTTP Hostname 104-168-237-21.sslip.io"; flow:to_server,established; http.header; content: "Host|3a| 104-168-237-21.sslip.io"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])104\-168\-237\-21\.sslip\.io[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4100412; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/238;) alert ip $HOME_NET any -> 89.45.4.192 any (msg: "MISP e238 [misp-galaxy:mitre-intrusion-set="FIN8 - G0061",tlp:white] Outgoing To IP: 89.45.4.192"; classtype:trojan-activity; sid:4100421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/238;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e238 [misp-galaxy:mitre-intrusion-set="FIN8 - G0061",tlp:white] Outgoing URL https|3a|//104-168-237-21.sslip.io/134af6"; tls.sni; content:"104-168-237-21.sslip.io"; tag:session,600,seconds; classtype:trojan-activity; sid:4100431; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/238;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e238 [misp-galaxy:mitre-intrusion-set="FIN8 - G0061",tlp:white] Outgoing URL https|3a|//104-168-237-21.sslip.io/edaea0"; tls.sni; content:"104-168-237-21.sslip.io"; tag:session,600,seconds; classtype:trojan-activity; sid:4100441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/238;) alert dns any any -> any any (msg: "MISP e239 [misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001",misp-galaxy:mitre-attack-pattern="Digital Certificates - T1587.003",misp-galaxy:mitre-attack-pattern="Domains - T1583.001",misp-galaxy:mitre-attack-pattern="Malware - T1587.001",misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005",misp-galaxy:mitre-attack-pattern="Server - T1583.004",misp-galaxy:mitre-attack-pattern="Web Services - T1583.006",misp-galaxy:mitre-attack-pattern="Dead Drop Resolver - T1102.001",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Domain Fronting - T1090.004",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="InstallUtil - T1218.004",misp-galaxy:mitre-attack-pattern="Internet Connection Discovery - T1016.001",misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012",misp-galaxy:mitre-attack-pattern="Query Registry - T1012",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Token Impersonation/Theft - T1134.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Web Service - T1102",tlp:white] Hostname update.facebookint.workers.dev"; dns.query; content:"update.facebookint.workers.dev"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])update\.facebookint\.workers\.dev$/i"; classtype:trojan-activity; sid:4100661; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/239;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e239 [misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001",misp-galaxy:mitre-attack-pattern="Digital Certificates - T1587.003",misp-galaxy:mitre-attack-pattern="Domains - T1583.001",misp-galaxy:mitre-attack-pattern="Malware - T1587.001",misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005",misp-galaxy:mitre-attack-pattern="Server - T1583.004",misp-galaxy:mitre-attack-pattern="Web Services - T1583.006",misp-galaxy:mitre-attack-pattern="Dead Drop Resolver - T1102.001",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Domain Fronting - T1090.004",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="InstallUtil - T1218.004",misp-galaxy:mitre-attack-pattern="Internet Connection Discovery - T1016.001",misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012",misp-galaxy:mitre-attack-pattern="Query Registry - T1012",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Token Impersonation/Theft - T1134.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Web Service - T1102",tlp:white] Outgoing HTTP Hostname update.facebookint.workers.dev"; flow:to_server,established; http.header; content: "Host|3a| update.facebookint.workers.dev"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])update\.facebookint\.workers\.dev[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4100662; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/239;) alert dns any any -> any any (msg: "MISP e239 [misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001",misp-galaxy:mitre-attack-pattern="Digital Certificates - T1587.003",misp-galaxy:mitre-attack-pattern="Domains - T1583.001",misp-galaxy:mitre-attack-pattern="Malware - T1587.001",misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005",misp-galaxy:mitre-attack-pattern="Server - T1583.004",misp-galaxy:mitre-attack-pattern="Web Services - T1583.006",misp-galaxy:mitre-attack-pattern="Dead Drop Resolver - T1102.001",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Domain Fronting - T1090.004",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="InstallUtil - T1218.004",misp-galaxy:mitre-attack-pattern="Internet Connection Discovery - T1016.001",misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012",misp-galaxy:mitre-attack-pattern="Query Registry - T1012",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Token Impersonation/Theft - T1134.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Web Service - T1102",tlp:white] Hostname cdn.cloudfiare.workers.dev"; dns.query; content:"cdn.cloudfiare.workers.dev"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cdn\.cloudfiare\.workers\.dev$/i"; classtype:trojan-activity; sid:4100671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/239;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e239 [misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001",misp-galaxy:mitre-attack-pattern="Digital Certificates - T1587.003",misp-galaxy:mitre-attack-pattern="Domains - T1583.001",misp-galaxy:mitre-attack-pattern="Malware - T1587.001",misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005",misp-galaxy:mitre-attack-pattern="Server - T1583.004",misp-galaxy:mitre-attack-pattern="Web Services - T1583.006",misp-galaxy:mitre-attack-pattern="Dead Drop Resolver - T1102.001",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Domain Fronting - T1090.004",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="InstallUtil - T1218.004",misp-galaxy:mitre-attack-pattern="Internet Connection Discovery - T1016.001",misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012",misp-galaxy:mitre-attack-pattern="Query Registry - T1012",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Token Impersonation/Theft - T1134.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Web Service - T1102",tlp:white] Outgoing HTTP Hostname cdn.cloudfiare.workers.dev"; flow:to_server,established; http.header; content: "Host|3a| cdn.cloudfiare.workers.dev"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cdn\.cloudfiare\.workers\.dev[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4100672; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/239;) alert ip $HOME_NET any -> 104.21.49.220 any (msg: "MISP e239 [misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001",misp-galaxy:mitre-attack-pattern="Digital Certificates - T1587.003",misp-galaxy:mitre-attack-pattern="Domains - T1583.001",misp-galaxy:mitre-attack-pattern="Malware - T1587.001",misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005",misp-galaxy:mitre-attack-pattern="Server - T1583.004",misp-galaxy:mitre-attack-pattern="Web Services - T1583.006",misp-galaxy:mitre-attack-pattern="Dead Drop Resolver - T1102.001",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Domain Fronting - T1090.004",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="InstallUtil - T1218.004",misp-galaxy:mitre-attack-pattern="Internet Connection Discovery - T1016.001",misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012",misp-galaxy:mitre-attack-pattern="Query Registry - T1012",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Token Impersonation/Theft - T1134.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Web Service - T1102",tlp:white] Outgoing To IP: 104.21.49.220"; classtype:trojan-activity; sid:4100681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/239;) alert ip $HOME_NET any -> 80.85.155.80 any (msg: "MISP e239 [misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001",misp-galaxy:mitre-attack-pattern="Digital Certificates - T1587.003",misp-galaxy:mitre-attack-pattern="Domains - T1583.001",misp-galaxy:mitre-attack-pattern="Malware - T1587.001",misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005",misp-galaxy:mitre-attack-pattern="Server - T1583.004",misp-galaxy:mitre-attack-pattern="Web Services - T1583.006",misp-galaxy:mitre-attack-pattern="Dead Drop Resolver - T1102.001",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Domain Fronting - T1090.004",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="InstallUtil - T1218.004",misp-galaxy:mitre-attack-pattern="Internet Connection Discovery - T1016.001",misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012",misp-galaxy:mitre-attack-pattern="Query Registry - T1012",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Token Impersonation/Theft - T1134.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Web Service - T1102",tlp:white] Outgoing To IP: 80.85.155.80"; classtype:trojan-activity; sid:4100691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/239;) alert ip $HOME_NET any -> 193.38.54.110 any (msg: "MISP e239 [misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001",misp-galaxy:mitre-attack-pattern="Digital Certificates - T1587.003",misp-galaxy:mitre-attack-pattern="Domains - T1583.001",misp-galaxy:mitre-attack-pattern="Malware - T1587.001",misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005",misp-galaxy:mitre-attack-pattern="Server - T1583.004",misp-galaxy:mitre-attack-pattern="Web Services - T1583.006",misp-galaxy:mitre-attack-pattern="Dead Drop Resolver - T1102.001",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Domain Fronting - T1090.004",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="InstallUtil - T1218.004",misp-galaxy:mitre-attack-pattern="Internet Connection Discovery - T1016.001",misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012",misp-galaxy:mitre-attack-pattern="Query Registry - T1012",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Token Impersonation/Theft - T1134.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Web Service - T1102",tlp:white] Outgoing To IP: 193.38.54.110"; classtype:trojan-activity; sid:4100701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/239;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e240 [tlp:white,misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219"] Outgoing URL http|3a|//hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion"; flow:to_server,established; http.header; content:"hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4100761; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/240;) alert ip $HOME_NET any -> 172.105.89.243 any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Outgoing To IP: 172.105.89.243"; classtype:trojan-activity; sid:4101101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert ip $HOME_NET any -> 64.227.121.213 any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Outgoing To IP: 64.227.121.213"; classtype:trojan-activity; sid:4101111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert ip $HOME_NET any -> 206.189.31.108 any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Outgoing To IP: 206.189.31.108"; classtype:trojan-activity; sid:4101121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert ip $HOME_NET any -> 195.181.213.122 any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Outgoing To IP: 195.181.213.122"; classtype:trojan-activity; sid:4101131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert ip $HOME_NET any -> 80.211.231.5 any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Outgoing To IP: 80.211.231.5"; classtype:trojan-activity; sid:4101141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert dns any any -> any any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Domain hooklevel.com"; dns.query; content:"hooklevel.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])hooklevel\.com$/i"; classtype:trojan-activity; sid:4101151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Outgoing HTTP Domain hooklevel.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hooklevel.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hooklevel\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4101152; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert dns any any -> any any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Hostname api1r3f4.redirectweburl.com"; dns.query; content:"api1r3f4.redirectweburl.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])api1r3f4\.redirectweburl\.com$/i"; classtype:trojan-activity; sid:4101161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Outgoing HTTP Hostname api1r3f4.redirectweburl.com"; flow:to_server,established; http.header; content: "Host|3a| api1r3f4.redirectweburl.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])api1r3f4\.redirectweburl\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4101162; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert dns any any -> any any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Domain info-update.org"; dns.query; content:"info-update.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])info\-update\.org$/i"; classtype:trojan-activity; sid:4101171; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Outgoing HTTP Domain info-update.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"info-update.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])info\-update\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4101172; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert dns any any -> any any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Domain start-anew.net"; dns.query; content:"start-anew.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])start\-anew\.net$/i"; classtype:trojan-activity; sid:4101181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Outgoing HTTP Domain start-anew.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"start-anew.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])start\-anew\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4101182; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert ip $HOME_NET any -> 209.250.237.55 any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Outgoing To IP: 209.250.237.55"; classtype:trojan-activity; sid:4101211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert dns any any -> any any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Domain youneedjelly.net"; dns.query; content:"youneedjelly.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])youneedjelly\.net$/i"; classtype:trojan-activity; sid:4101221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Outgoing HTTP Domain youneedjelly.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"youneedjelly.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])youneedjelly\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4101222; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert ip $HOME_NET any -> 92.222.71.144 any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Outgoing To IP: 92.222.71.144"; classtype:trojan-activity; sid:4101231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert dns any any -> any any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Domain visiblereminder.net"; dns.query; content:"visiblereminder.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])visiblereminder\.net$/i"; classtype:trojan-activity; sid:4101241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Outgoing HTTP Domain visiblereminder.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"visiblereminder.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])visiblereminder\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4101242; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert dns any any -> any any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Domain reunionlove.net"; dns.query; content:"reunionlove.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])reunionlove\.net$/i"; classtype:trojan-activity; sid:4101251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Outgoing HTTP Domain reunionlove.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"reunionlove.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])reunionlove\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4101252; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert dns any any -> any any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Domain news-now.co"; dns.query; content:"news-now.co"; nocase; pcre: "/(^|[^A-Za-z0-9-])news\-now\.co$/i"; classtype:trojan-activity; sid:4101261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Outgoing HTTP Domain news-now.co"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"news-now.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])news\-now\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4101262; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert dns any any -> any any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Domain helpusfind.biz"; dns.query; content:"helpusfind.biz"; nocase; pcre: "/(^|[^A-Za-z0-9-])helpusfind\.biz$/i"; classtype:trojan-activity; sid:4101271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Outgoing HTTP Domain helpusfind.biz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"helpusfind.biz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])helpusfind\.biz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4101272; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert dns any any -> any any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Domain human-rights-news.com"; dns.query; content:"human-rights-news.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])human\-rights\-news\.com$/i"; classtype:trojan-activity; sid:4101281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Outgoing HTTP Domain human-rights-news.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"human-rights-news.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])human\-rights\-news\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4101282; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert dns any any -> any any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Domain washington-today.com"; dns.query; content:"washington-today.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])washington\-today\.com$/i"; classtype:trojan-activity; sid:4101291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Outgoing HTTP Domain washington-today.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"washington-today.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])washington\-today\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4101292; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert dns any any -> any any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Domain i-election-online.com"; dns.query; content:"i-election-online.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])i\-election\-online\.com$/i"; classtype:trojan-activity; sid:4101301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Outgoing HTTP Domain i-election-online.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"i-election-online.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])i\-election\-online\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4101302; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert dns any any -> any any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Domain breakingnewyork.info"; dns.query; content:"breakingnewyork.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])breakingnewyork\.info$/i"; classtype:trojan-activity; sid:4101311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Outgoing HTTP Domain breakingnewyork.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"breakingnewyork.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])breakingnewyork\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4101312; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert dns any any -> any any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Domain siyasimehbus.com"; dns.query; content:"siyasimehbus.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])siyasimehbus\.com$/i"; classtype:trojan-activity; sid:4101321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Outgoing HTTP Domain siyasimehbus.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"siyasimehbus.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])siyasimehbus\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4101322; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert dns any any -> any any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Domain mitinq23fevral.info"; dns.query; content:"mitinq23fevral.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])mitinq23fevral\.info$/i"; classtype:trojan-activity; sid:4101331; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e241 [misp-galaxy:country="bahrain",misp-galaxy:mitre-malware="Pegasus for iOS - S0289",misp-galaxy:mitre-mobile-attack-malware="Pegasus - MOB-S0005"] Outgoing HTTP Domain mitinq23fevral.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mitinq23fevral.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mitinq23fevral\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4101332; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/241;) alert dns any any -> any any (msg: "MISP e242 [tlp:white] Domain domain-propagation-test.be"; dns.query; content:"domain-propagation-test.be"; nocase; pcre: "/(^|[^A-Za-z0-9-])domain\-propagation\-test\.be$/i"; classtype:trojan-activity; sid:4101351; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/242;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e242 [tlp:white] Outgoing HTTP Domain domain-propagation-test.be"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"domain-propagation-test.be"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])domain\-propagation\-test\.be[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4101352; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/242;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e242 [tlp:white] Outgoing URL https|3a|//domain-propagation-test.be"; tls.sni; content:"domain-propagation-test.be"; tag:session,600,seconds; classtype:trojan-activity; sid:4101361; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/242;) alert http $HOME_NET any -> $EXTERNAL_NET 7272 (msg: "MISP e244 [misp-galaxy:malpedia="JSOutProx",tlp:white] Outgoing URL http|3a|//dilideanter.zapto.org|3a|7272/"; flow:to_server,established; http.header; content:"dilideanter.zapto.org"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4101531; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/244;) alert dns any any -> any any (msg: "MISP e244 [misp-galaxy:malpedia="JSOutProx",tlp:white] Hostname dilideanter.zapto.org"; dns.query; content:"dilideanter.zapto.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dilideanter\.zapto\.org$/i"; classtype:trojan-activity; sid:4101541; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/244;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e244 [misp-galaxy:malpedia="JSOutProx",tlp:white] Outgoing HTTP Hostname dilideanter.zapto.org"; flow:to_server,established; http.header; content: "Host|3a| dilideanter.zapto.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dilideanter\.zapto\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4101542; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/244;) alert ip $HOME_NET any -> 160.202.163.100 any (msg: "MISP e245 [misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",tlp:white] Outgoing To IP: 160.202.163.100"; classtype:trojan-activity; sid:4101631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/245;) alert dns any any -> any any (msg: "MISP e245 [misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",tlp:white] Hostname update.microsofthk.com"; dns.query; content:"update.microsofthk.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])update\.microsofthk\.com$/i"; classtype:trojan-activity; sid:4101641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/245;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e245 [misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",tlp:white] Outgoing HTTP Hostname update.microsofthk.com"; flow:to_server,established; http.header; content: "Host|3a| update.microsofthk.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])update\.microsofthk\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4101642; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/245;) alert dns any any -> any any (msg: "MISP e245 [misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",tlp:white] Hostname update.microsoftkernel.com"; dns.query; content:"update.microsoftkernel.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])update\.microsoftkernel\.com$/i"; classtype:trojan-activity; sid:4101651; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/245;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e245 [misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",tlp:white] Outgoing HTTP Hostname update.microsoftkernel.com"; flow:to_server,established; http.header; content: "Host|3a| update.microsoftkernel.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])update\.microsoftkernel\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4101652; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/245;) alert dns any any -> any any (msg: "MISP e245 [misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",tlp:white] Hostname amazon.hksupd.com"; dns.query; content:"amazon.hksupd.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])amazon\.hksupd\.com$/i"; classtype:trojan-activity; sid:4101661; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/245;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e245 [misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",tlp:white] Outgoing HTTP Hostname amazon.hksupd.com"; flow:to_server,established; http.header; content: "Host|3a| amazon.hksupd.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])amazon\.hksupd\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4101662; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/245;) alert dns any any -> any any (msg: "MISP e247 [misp-galaxy:mitre-enterprise-attack-attack-pattern="Remote Access Tools - T1219",tlp:white] Domain amnestyinternationalantipegasus.com"; dns.query; content:"amnestyinternationalantipegasus.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])amnestyinternationalantipegasus\.com$/i"; classtype:trojan-activity; sid:4102071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/247;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e247 [misp-galaxy:mitre-enterprise-attack-attack-pattern="Remote Access Tools - T1219",tlp:white] Outgoing HTTP Domain amnestyinternationalantipegasus.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"amnestyinternationalantipegasus.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])amnestyinternationalantipegasus\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4102072; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/247;) alert dns any any -> any any (msg: "MISP e247 [misp-galaxy:mitre-enterprise-attack-attack-pattern="Remote Access Tools - T1219",tlp:white] Domain medicalsystemworld.site"; dns.query; content:"medicalsystemworld.site"; nocase; pcre: "/(^|[^A-Za-z0-9-])medicalsystemworld\.site$/i"; classtype:trojan-activity; sid:4102081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/247;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e247 [misp-galaxy:mitre-enterprise-attack-attack-pattern="Remote Access Tools - T1219",tlp:white] Outgoing HTTP Domain medicalsystemworld.site"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"medicalsystemworld.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])medicalsystemworld\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4102082; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/247;) alert dns any any -> any any (msg: "MISP e247 [misp-galaxy:mitre-enterprise-attack-attack-pattern="Remote Access Tools - T1219",tlp:white] Domain alwaysstriveandprosper.space"; dns.query; content:"alwaysstriveandprosper.space"; nocase; pcre: "/(^|[^A-Za-z0-9-])alwaysstriveandprosper\.space$/i"; classtype:trojan-activity; sid:4102091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/247;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e247 [misp-galaxy:mitre-enterprise-attack-attack-pattern="Remote Access Tools - T1219",tlp:white] Outgoing HTTP Domain alwaysstriveandprosper.space"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"alwaysstriveandprosper.space"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])alwaysstriveandprosper\.space[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4102092; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/247;) alert dns any any -> any any (msg: "MISP e247 [misp-galaxy:mitre-enterprise-attack-attack-pattern="Remote Access Tools - T1219",tlp:white] Domain amnestyvspegasus.com"; dns.query; content:"amnestyvspegasus.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])amnestyvspegasus\.com$/i"; classtype:trojan-activity; sid:4102101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/247;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e247 [misp-galaxy:mitre-enterprise-attack-attack-pattern="Remote Access Tools - T1219",tlp:white] Outgoing HTTP Domain amnestyvspegasus.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"amnestyvspegasus.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])amnestyvspegasus\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4102102; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/247;) alert dns any any -> any any (msg: "MISP e247 [misp-galaxy:mitre-enterprise-attack-attack-pattern="Remote Access Tools - T1219",tlp:white] Domain antipegasusamnesty.com"; dns.query; content:"antipegasusamnesty.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])antipegasusamnesty\.com$/i"; classtype:trojan-activity; sid:4102111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/247;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e247 [misp-galaxy:mitre-enterprise-attack-attack-pattern="Remote Access Tools - T1219",tlp:white] Outgoing HTTP Domain antipegasusamnesty.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"antipegasusamnesty.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])antipegasusamnesty\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4102112; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/247;) alert dns any any -> any any (msg: "MISP e247 [misp-galaxy:mitre-enterprise-attack-attack-pattern="Remote Access Tools - T1219",tlp:white] Domain mementomoriforlife.ru"; dns.query; content:"mementomoriforlife.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])mementomoriforlife\.ru$/i"; classtype:trojan-activity; sid:4102121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/247;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e247 [misp-galaxy:mitre-enterprise-attack-attack-pattern="Remote Access Tools - T1219",tlp:white] Outgoing HTTP Domain mementomoriforlife.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mementomoriforlife.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mementomoriforlife\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4102122; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/247;) alert ip $HOME_NET any -> 87.249.53.124 any (msg: "MISP e247 [misp-galaxy:mitre-enterprise-attack-attack-pattern="Remote Access Tools - T1219",tlp:white] Outgoing To IP: 87.249.53.124"; classtype:trojan-activity; sid:4102131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/247;) alert ip $HOME_NET any -> 185.215.113.67 any (msg: "MISP e247 [misp-galaxy:mitre-enterprise-attack-attack-pattern="Remote Access Tools - T1219",tlp:white] Outgoing To IP: 185.215.113.67"; classtype:trojan-activity; sid:4102141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/247;) alert ip $HOME_NET any -> 194.9.71.129 any (msg: "MISP e247 [misp-galaxy:mitre-enterprise-attack-attack-pattern="Remote Access Tools - T1219",tlp:white] Outgoing To IP: 194.9.71.129"; classtype:trojan-activity; sid:4102151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/247;) alert ip $HOME_NET any -> 185.161.211.97 any (msg: "MISP e248 [misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002",misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020",misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004",misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Transfer Size Limits - T1030",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003",misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003",tlp:white] Outgoing To IP: 185.161.211.97"; classtype:trojan-activity; sid:4102251; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/248;) alert dns any any -> any any (msg: "MISP e248 [misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002",misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020",misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004",misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Transfer Size Limits - T1030",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003",misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003",tlp:white] Hostname sery.brushupdata.com"; dns.query; content:"sery.brushupdata.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sery\.brushupdata\.com$/i"; classtype:trojan-activity; sid:4102261; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/248;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e248 [misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002",misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020",misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004",misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Transfer Size Limits - T1030",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003",misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003",tlp:white] Outgoing HTTP Hostname sery.brushupdata.com"; flow:to_server,established; http.header; content: "Host|3a| sery.brushupdata.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sery\.brushupdata\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4102262; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/248;) alert dns any any -> any any (msg: "MISP e248 [misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002",misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020",misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004",misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Transfer Size Limits - T1030",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003",misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003",tlp:white] Hostname dnssery.brushupdata.com"; dns.query; content:"dnssery.brushupdata.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dnssery\.brushupdata\.com$/i"; classtype:trojan-activity; sid:4102271; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/248;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e248 [misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002",misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020",misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004",misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Transfer Size Limits - T1030",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003",misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003",tlp:white] Outgoing HTTP Hostname dnssery.brushupdata.com"; flow:to_server,established; http.header; content: "Host|3a| dnssery.brushupdata.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dnssery\.brushupdata\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4102272; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/248;) alert dns any any -> any any (msg: "MISP e248 [misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002",misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020",misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004",misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Transfer Size Limits - T1030",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003",misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003",tlp:white] Hostname center.asmlbigip.com"; dns.query; content:"center.asmlbigip.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])center\.asmlbigip\.com$/i"; classtype:trojan-activity; sid:4102281; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/248;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e248 [misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002",misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020",misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004",misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Transfer Size Limits - T1030",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003",misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003",tlp:white] Outgoing HTTP Hostname center.asmlbigip.com"; flow:to_server,established; http.header; content: "Host|3a| center.asmlbigip.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])center\.asmlbigip\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4102282; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/248;) alert ip $HOME_NET any -> 47.107.60.212 any (msg: "MISP e249 [misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037",misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001",misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564",misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006",misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002",misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Python - T1059.006",misp-galaxy:mitre-attack-pattern="Rootkit - T1014",misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",tlp:white] Outgoing To IP: 47.107.60.212"; classtype:trojan-activity; sid:4102631; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/249;) alert ip $HOME_NET any -> 47.112.197.119 any (msg: "MISP e249 [misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037",misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001",misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564",misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006",misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002",misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Python - T1059.006",misp-galaxy:mitre-attack-pattern="Rootkit - T1014",misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",tlp:white] Outgoing To IP: 47.112.197.119"; classtype:trojan-activity; sid:4102641; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/249;) alert ip $HOME_NET any -> 156.238.111.174 any (msg: "MISP e249 [misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037",misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001",misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564",misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006",misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002",misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Python - T1059.006",misp-galaxy:mitre-attack-pattern="Rootkit - T1014",misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",tlp:white] Outgoing To IP: 156.238.111.174"; classtype:trojan-activity; sid:4102651; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/249;) alert ip $HOME_NET any -> 172.96.231.69 any (msg: "MISP e249 [misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037",misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001",misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564",misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006",misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002",misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Python - T1059.006",misp-galaxy:mitre-attack-pattern="Rootkit - T1014",misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",tlp:white] Outgoing To IP: 172.96.231.69"; classtype:trojan-activity; sid:4102661; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/249;) alert dns any any -> any any (msg: "MISP e249 [misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037",misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001",misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564",misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006",misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002",misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Python - T1059.006",misp-galaxy:mitre-attack-pattern="Rootkit - T1014",misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",tlp:white] Hostname hm2.yrnykx.com"; dns.query; content:"hm2.yrnykx.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])hm2\.yrnykx\.com$/i"; classtype:trojan-activity; sid:4102671; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/249;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e249 [misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037",misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001",misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564",misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006",misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002",misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Python - T1059.006",misp-galaxy:mitre-attack-pattern="Rootkit - T1014",misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",tlp:white] Outgoing HTTP Hostname hm2.yrnykx.com"; flow:to_server,established; http.header; content: "Host|3a| hm2.yrnykx.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])hm2\.yrnykx\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4102672; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/249;) alert dns any any -> any any (msg: "MISP e249 [misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037",misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001",misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564",misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006",misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002",misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Python - T1059.006",misp-galaxy:mitre-attack-pattern="Rootkit - T1014",misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",tlp:white] Domain ywbgrcrupasdiqxknwgceatlnbvmezti.com"; dns.query; content:"ywbgrcrupasdiqxknwgceatlnbvmezti.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ywbgrcrupasdiqxknwgceatlnbvmezti\.com$/i"; classtype:trojan-activity; sid:4102681; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/249;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e249 [misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037",misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001",misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564",misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006",misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002",misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Python - T1059.006",misp-galaxy:mitre-attack-pattern="Rootkit - T1014",misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",tlp:white] Outgoing HTTP Domain ywbgrcrupasdiqxknwgceatlnbvmezti.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ywbgrcrupasdiqxknwgceatlnbvmezti.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ywbgrcrupasdiqxknwgceatlnbvmezti\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4102682; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/249;) alert dns any any -> any any (msg: "MISP e249 [misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037",misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001",misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564",misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006",misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002",misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Python - T1059.006",misp-galaxy:mitre-attack-pattern="Rootkit - T1014",misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",tlp:white] Domain yhgrffndvzbtoilmundkmvbaxrjtqsew.com"; dns.query; content:"yhgrffndvzbtoilmundkmvbaxrjtqsew.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])yhgrffndvzbtoilmundkmvbaxrjtqsew\.com$/i"; classtype:trojan-activity; sid:4102691; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/249;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e249 [misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037",misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001",misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564",misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006",misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002",misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Python - T1059.006",misp-galaxy:mitre-attack-pattern="Rootkit - T1014",misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",tlp:white] Outgoing HTTP Domain yhgrffndvzbtoilmundkmvbaxrjtqsew.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"yhgrffndvzbtoilmundkmvbaxrjtqsew.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])yhgrffndvzbtoilmundkmvbaxrjtqsew\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4102692; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/249;) alert dns any any -> any any (msg: "MISP e249 [misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037",misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001",misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564",misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006",misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002",misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Python - T1059.006",misp-galaxy:mitre-attack-pattern="Rootkit - T1014",misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",tlp:white] Domain wcmbqxzeuopnvyfmhkstaretfciywdrl.name"; dns.query; content:"wcmbqxzeuopnvyfmhkstaretfciywdrl.name"; nocase; pcre: "/(^|[^A-Za-z0-9-])wcmbqxzeuopnvyfmhkstaretfciywdrl\.name$/i"; classtype:trojan-activity; sid:4102701; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/249;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e249 [misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037",misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001",misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564",misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006",misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002",misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Python - T1059.006",misp-galaxy:mitre-attack-pattern="Rootkit - T1014",misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",tlp:white] Outgoing HTTP Domain wcmbqxzeuopnvyfmhkstaretfciywdrl.name"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wcmbqxzeuopnvyfmhkstaretfciywdrl.name"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wcmbqxzeuopnvyfmhkstaretfciywdrl\.name[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4102702; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/249;) alert dns any any -> any any (msg: "MISP e249 [misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037",misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001",misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564",misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006",misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002",misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Python - T1059.006",misp-galaxy:mitre-attack-pattern="Rootkit - T1014",misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",tlp:white] Domain ruciplbrxwjscyhtapvlfskoqqgnxevw.name"; dns.query; content:"ruciplbrxwjscyhtapvlfskoqqgnxevw.name"; nocase; pcre: "/(^|[^A-Za-z0-9-])ruciplbrxwjscyhtapvlfskoqqgnxevw\.name$/i"; classtype:trojan-activity; sid:4102711; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/249;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e249 [misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037",misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001",misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564",misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006",misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002",misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Python - T1059.006",misp-galaxy:mitre-attack-pattern="Rootkit - T1014",misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",tlp:white] Outgoing HTTP Domain ruciplbrxwjscyhtapvlfskoqqgnxevw.name"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ruciplbrxwjscyhtapvlfskoqqgnxevw.name"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ruciplbrxwjscyhtapvlfskoqqgnxevw\.name[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4102712; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/249;) alert dns any any -> any any (msg: "MISP e249 [misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037",misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001",misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564",misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006",misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002",misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Python - T1059.006",misp-galaxy:mitre-attack-pattern="Rootkit - T1014",misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",tlp:white] Domain pdjwebrfgdyzljmwtxcoyomapxtzchvn.com"; dns.query; content:"pdjwebrfgdyzljmwtxcoyomapxtzchvn.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pdjwebrfgdyzljmwtxcoyomapxtzchvn\.com$/i"; classtype:trojan-activity; sid:4102721; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/249;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e249 [misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037",misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001",misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564",misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006",misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002",misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Python - T1059.006",misp-galaxy:mitre-attack-pattern="Rootkit - T1014",misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",tlp:white] Outgoing HTTP Domain pdjwebrfgdyzljmwtxcoyomapxtzchvn.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pdjwebrfgdyzljmwtxcoyomapxtzchvn.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pdjwebrfgdyzljmwtxcoyomapxtzchvn\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4102722; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/249;) alert dns any any -> any any (msg: "MISP e249 [misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037",misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001",misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564",misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006",misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002",misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Python - T1059.006",misp-galaxy:mitre-attack-pattern="Rootkit - T1014",misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",tlp:white] Domain nfcomizsdseqiomzqrxwvtprxbljkpgd.name"; dns.query; content:"nfcomizsdseqiomzqrxwvtprxbljkpgd.name"; nocase; pcre: "/(^|[^A-Za-z0-9-])nfcomizsdseqiomzqrxwvtprxbljkpgd\.name$/i"; classtype:trojan-activity; sid:4102731; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/249;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e249 [misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037",misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001",misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564",misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006",misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002",misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Python - T1059.006",misp-galaxy:mitre-attack-pattern="Rootkit - T1014",misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",tlp:white] Outgoing HTTP Domain nfcomizsdseqiomzqrxwvtprxbljkpgd.name"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nfcomizsdseqiomzqrxwvtprxbljkpgd.name"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nfcomizsdseqiomzqrxwvtprxbljkpgd\.name[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4102732; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/249;) alert dns any any -> any any (msg: "MISP e249 [misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037",misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001",misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564",misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006",misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002",misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Python - T1059.006",misp-galaxy:mitre-attack-pattern="Rootkit - T1014",misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",tlp:white] Domain hkxpqdtgsucylodaejmzmtnkpfvojabe.com"; dns.query; content:"hkxpqdtgsucylodaejmzmtnkpfvojabe.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])hkxpqdtgsucylodaejmzmtnkpfvojabe\.com$/i"; classtype:trojan-activity; sid:4102741; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/249;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e249 [misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037",misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001",misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564",misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006",misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002",misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Python - T1059.006",misp-galaxy:mitre-attack-pattern="Rootkit - T1014",misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",tlp:white] Outgoing HTTP Domain hkxpqdtgsucylodaejmzmtnkpfvojabe.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hkxpqdtgsucylodaejmzmtnkpfvojabe.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hkxpqdtgsucylodaejmzmtnkpfvojabe\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4102742; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/249;) alert dns any any -> any any (msg: "MISP e249 [misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037",misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001",misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564",misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006",misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002",misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Python - T1059.006",misp-galaxy:mitre-attack-pattern="Rootkit - T1014",misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",tlp:white] Domain etzndtcvqvyxajpcgwkzsoweaubilflh.com"; dns.query; content:"etzndtcvqvyxajpcgwkzsoweaubilflh.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])etzndtcvqvyxajpcgwkzsoweaubilflh\.com$/i"; classtype:trojan-activity; sid:4102751; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/249;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e249 [misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037",misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001",misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564",misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006",misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002",misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Python - T1059.006",misp-galaxy:mitre-attack-pattern="Rootkit - T1014",misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",tlp:white] Outgoing HTTP Domain etzndtcvqvyxajpcgwkzsoweaubilflh.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"etzndtcvqvyxajpcgwkzsoweaubilflh.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])etzndtcvqvyxajpcgwkzsoweaubilflh\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4102752; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/249;) alert dns any any -> any any (msg: "MISP e249 [misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037",misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001",misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564",misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006",misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002",misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Python - T1059.006",misp-galaxy:mitre-attack-pattern="Rootkit - T1014",misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",tlp:white] Domain esnoptdkkiirzewlpgmccbwuynvxjumf.name"; dns.query; content:"esnoptdkkiirzewlpgmccbwuynvxjumf.name"; nocase; pcre: "/(^|[^A-Za-z0-9-])esnoptdkkiirzewlpgmccbwuynvxjumf\.name$/i"; classtype:trojan-activity; sid:4102761; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/249;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e249 [misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037",misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001",misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564",misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006",misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002",misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Python - T1059.006",misp-galaxy:mitre-attack-pattern="Rootkit - T1014",misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",tlp:white] Outgoing HTTP Domain esnoptdkkiirzewlpgmccbwuynvxjumf.name"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"esnoptdkkiirzewlpgmccbwuynvxjumf.name"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])esnoptdkkiirzewlpgmccbwuynvxjumf\.name[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4102762; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/249;) alert dns any any -> any any (msg: "MISP e249 [misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037",misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001",misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564",misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006",misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002",misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Python - T1059.006",misp-galaxy:mitre-attack-pattern="Rootkit - T1014",misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",tlp:white] Domain ekubhtlgnjndrmjbsqitdvvewcgzpacy.name"; dns.query; content:"ekubhtlgnjndrmjbsqitdvvewcgzpacy.name"; nocase; pcre: "/(^|[^A-Za-z0-9-])ekubhtlgnjndrmjbsqitdvvewcgzpacy\.name$/i"; classtype:trojan-activity; sid:4102771; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/249;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e249 [misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037",misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001",misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564",misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006",misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002",misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Python - T1059.006",misp-galaxy:mitre-attack-pattern="Rootkit - T1014",misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",tlp:white] Outgoing HTTP Domain ekubhtlgnjndrmjbsqitdvvewcgzpacy.name"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ekubhtlgnjndrmjbsqitdvvewcgzpacy.name"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ekubhtlgnjndrmjbsqitdvvewcgzpacy\.name[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4102772; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/249;) alert ip $HOME_NET any -> 27.102.130.63 any (msg: "MISP e249 [misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037",misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008",misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001",misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564",misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006",misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002",misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Python - T1059.006",misp-galaxy:mitre-attack-pattern="Rootkit - T1014",misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",tlp:white] Outgoing To IP: 27.102.130.63"; classtype:trojan-activity; sid:4102781; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/249;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing URL abogados-en-medellin.com/odit-error/assumenda.zip"; flow:to_server,established; http.uri; content:"abogados-en-medellin.com/odit-error/assumenda.zip"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4102821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain 168betclub.com"; dns.query; content:"168betclub.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])168betclub\.com$/i"; classtype:trojan-activity; sid:4102961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain 168betclub.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"168betclub.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])168betclub\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4102962; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain 360digidives.com"; dns.query; content:"360digidives.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])360digidives\.com$/i"; classtype:trojan-activity; sid:4102971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain 360digidives.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"360digidives.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])360digidives\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4102972; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain 5track.link"; dns.query; content:"5track.link"; nocase; pcre: "/(^|[^A-Za-z0-9-])5track\.link$/i"; classtype:trojan-activity; sid:4102981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain 5track.link"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"5track.link"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])5track\.link[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4102982; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain abogadoaccidentedetransito.com"; dns.query; content:"abogadoaccidentedetransito.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])abogadoaccidentedetransito\.com$/i"; classtype:trojan-activity; sid:4102991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain abogadoaccidentedetransito.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"abogadoaccidentedetransito.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])abogadoaccidentedetransito\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4102992; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain abogados-en-medellin.com"; dns.query; content:"abogados-en-medellin.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])abogados\-en\-medellin\.com$/i"; classtype:trojan-activity; sid:4103001; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain abogados-en-medellin.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"abogados-en-medellin.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])abogados\-en\-medellin\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103002; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain abogadosnegocios.co"; dns.query; content:"abogadosnegocios.co"; nocase; pcre: "/(^|[^A-Za-z0-9-])abogadosnegocios\.co$/i"; classtype:trojan-activity; sid:4103011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain abogadosnegocios.co"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"abogadosnegocios.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])abogadosnegocios\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103012; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain abufarees.com"; dns.query; content:"abufarees.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])abufarees\.com$/i"; classtype:trojan-activity; sid:4103021; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain abufarees.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"abufarees.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])abufarees\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103022; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain academiademusicayanez.com"; dns.query; content:"academiademusicayanez.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])academiademusicayanez\.com$/i"; classtype:trojan-activity; sid:4103031; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain academiademusicayanez.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"academiademusicayanez.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])academiademusicayanez\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103032; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain acordimobiliar.ro"; dns.query; content:"acordimobiliar.ro"; nocase; pcre: "/(^|[^A-Za-z0-9-])acordimobiliar\.ro$/i"; classtype:trojan-activity; sid:4103041; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain acordimobiliar.ro"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"acordimobiliar.ro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])acordimobiliar\.ro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103042; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain acquafontana.com"; dns.query; content:"acquafontana.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])acquafontana\.com$/i"; classtype:trojan-activity; sid:4103051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain acquafontana.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"acquafontana.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])acquafontana\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103052; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain acuafuego.com"; dns.query; content:"acuafuego.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])acuafuego\.com$/i"; classtype:trojan-activity; sid:4103061; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain acuafuego.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"acuafuego.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])acuafuego\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103062; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname afrizam.360cyberlink.com"; dns.query; content:"afrizam.360cyberlink.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])afrizam\.360cyberlink\.com$/i"; classtype:trojan-activity; sid:4103071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname afrizam.360cyberlink.com"; flow:to_server,established; http.header; content: "Host|3a| afrizam.360cyberlink.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])afrizam\.360cyberlink\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103072; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain afvina.org"; dns.query; content:"afvina.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])afvina\.org$/i"; classtype:trojan-activity; sid:4103081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain afvina.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"afvina.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])afvina\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103082; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain agilewolfs.com"; dns.query; content:"agilewolfs.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])agilewolfs\.com$/i"; classtype:trojan-activity; sid:4103091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain agilewolfs.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"agilewolfs.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])agilewolfs\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103092; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain ahepad2.org"; dns.query; content:"ahepad2.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])ahepad2\.org$/i"; classtype:trojan-activity; sid:4103101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain ahepad2.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ahepad2.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ahepad2\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103102; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain akademiilmujaya.com"; dns.query; content:"akademiilmujaya.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])akademiilmujaya\.com$/i"; classtype:trojan-activity; sid:4103111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain akademiilmujaya.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"akademiilmujaya.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])akademiilmujaya\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103112; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain akwantufuomediaservices.com"; dns.query; content:"akwantufuomediaservices.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])akwantufuomediaservices\.com$/i"; classtype:trojan-activity; sid:4103121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain akwantufuomediaservices.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"akwantufuomediaservices.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])akwantufuomediaservices\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103122; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain alcorprime.com"; dns.query; content:"alcorprime.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])alcorprime\.com$/i"; classtype:trojan-activity; sid:4103131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain alcorprime.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"alcorprime.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])alcorprime\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103132; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain alfacables.net"; dns.query; content:"alfacables.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])alfacables\.net$/i"; classtype:trojan-activity; sid:4103141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain alfacables.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"alfacables.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])alfacables\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103142; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain aliyaarts.lk"; dns.query; content:"aliyaarts.lk"; nocase; pcre: "/(^|[^A-Za-z0-9-])aliyaarts\.lk$/i"; classtype:trojan-activity; sid:4103151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain aliyaarts.lk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aliyaarts.lk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aliyaarts\.lk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103152; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain almajidcenter.org"; dns.query; content:"almajidcenter.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])almajidcenter\.org$/i"; classtype:trojan-activity; sid:4103161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain almajidcenter.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"almajidcenter.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])almajidcenter\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103162; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain almuhsinunfund.org"; dns.query; content:"almuhsinunfund.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])almuhsinunfund\.org$/i"; classtype:trojan-activity; sid:4103171; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain almuhsinunfund.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"almuhsinunfund.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])almuhsinunfund\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103172; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain alteadekori.hr"; dns.query; content:"alteadekori.hr"; nocase; pcre: "/(^|[^A-Za-z0-9-])alteadekori\.hr$/i"; classtype:trojan-activity; sid:4103181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain alteadekori.hr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"alteadekori.hr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])alteadekori\.hr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103182; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain amaimaging.com"; dns.query; content:"amaimaging.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])amaimaging\.com$/i"; classtype:trojan-activity; sid:4103191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain amaimaging.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"amaimaging.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])amaimaging\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103192; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain ambassade-mauritanie-rabat.net"; dns.query; content:"ambassade-mauritanie-rabat.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])ambassade\-mauritanie\-rabat\.net$/i"; classtype:trojan-activity; sid:4103201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain ambassade-mauritanie-rabat.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ambassade-mauritanie-rabat.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ambassade\-mauritanie\-rabat\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103202; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain amitadesai.com"; dns.query; content:"amitadesai.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])amitadesai\.com$/i"; classtype:trojan-activity; sid:4103211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain amitadesai.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"amitadesai.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])amitadesai\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103212; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain amitempo.com"; dns.query; content:"amitempo.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])amitempo\.com$/i"; classtype:trojan-activity; sid:4103221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain amitempo.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"amitempo.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])amitempo\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103222; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain amjsys.com"; dns.query; content:"amjsys.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])amjsys\.com$/i"; classtype:trojan-activity; sid:4103231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain amjsys.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"amjsys.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])amjsys\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103232; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain anasarooms.gr"; dns.query; content:"anasarooms.gr"; nocase; pcre: "/(^|[^A-Za-z0-9-])anasarooms\.gr$/i"; classtype:trojan-activity; sid:4103241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain anasarooms.gr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"anasarooms.gr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])anasarooms\.gr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103242; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain apexbusinessconsultancy.com"; dns.query; content:"apexbusinessconsultancy.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])apexbusinessconsultancy\.com$/i"; classtype:trojan-activity; sid:4103251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain apexbusinessconsultancy.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"apexbusinessconsultancy.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])apexbusinessconsultancy\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103252; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname api.acofps.com"; dns.query; content:"api.acofps.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])api\.acofps\.com$/i"; classtype:trojan-activity; sid:4103261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname api.acofps.com"; flow:to_server,established; http.header; content: "Host|3a| api.acofps.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])api\.acofps\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103262; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain apimar.eu"; dns.query; content:"apimar.eu"; nocase; pcre: "/(^|[^A-Za-z0-9-])apimar\.eu$/i"; classtype:trojan-activity; sid:4103271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain apimar.eu"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"apimar.eu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])apimar\.eu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103272; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain apnapansar.com"; dns.query; content:"apnapansar.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])apnapansar\.com$/i"; classtype:trojan-activity; sid:4103281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain apnapansar.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"apnapansar.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])apnapansar\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103282; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain apostlesradio.org"; dns.query; content:"apostlesradio.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])apostlesradio\.org$/i"; classtype:trojan-activity; sid:4103291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain apostlesradio.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"apostlesradio.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])apostlesradio\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103292; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain arabuap.com"; dns.query; content:"arabuap.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])arabuap\.com$/i"; classtype:trojan-activity; sid:4103301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain arabuap.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"arabuap.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])arabuap\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103302; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain arimeto.lv"; dns.query; content:"arimeto.lv"; nocase; pcre: "/(^|[^A-Za-z0-9-])arimeto\.lv$/i"; classtype:trojan-activity; sid:4103311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain arimeto.lv"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"arimeto.lv"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])arimeto\.lv[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103312; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain arricale.it"; dns.query; content:"arricale.it"; nocase; pcre: "/(^|[^A-Za-z0-9-])arricale\.it$/i"; classtype:trojan-activity; sid:4103321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain arricale.it"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"arricale.it"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])arricale\.it[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103322; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain arsaojose.com"; dns.query; content:"arsaojose.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])arsaojose\.com$/i"; classtype:trojan-activity; sid:4103331; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain arsaojose.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"arsaojose.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])arsaojose\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103332; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain artadidactica.ro"; dns.query; content:"artadidactica.ro"; nocase; pcre: "/(^|[^A-Za-z0-9-])artadidactica\.ro$/i"; classtype:trojan-activity; sid:4103341; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain artadidactica.ro"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"artadidactica.ro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])artadidactica\.ro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103342; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain asesoriasalakazam.com"; dns.query; content:"asesoriasalakazam.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])asesoriasalakazam\.com$/i"; classtype:trojan-activity; sid:4103351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain asesoriasalakazam.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"asesoriasalakazam.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])asesoriasalakazam\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103352; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname assurant.360cyberlink.com"; dns.query; content:"assurant.360cyberlink.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])assurant\.360cyberlink\.com$/i"; classtype:trojan-activity; sid:4103361; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname assurant.360cyberlink.com"; flow:to_server,established; http.header; content: "Host|3a| assurant.360cyberlink.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])assurant\.360cyberlink\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103362; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain astrosports.in"; dns.query; content:"astrosports.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])astrosports\.in$/i"; classtype:trojan-activity; sid:4103371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain astrosports.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"astrosports.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])astrosports\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103372; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain aszoran.hr"; dns.query; content:"aszoran.hr"; nocase; pcre: "/(^|[^A-Za-z0-9-])aszoran\.hr$/i"; classtype:trojan-activity; sid:4103381; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain aszoran.hr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aszoran.hr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aszoran\.hr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103382; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname authentification.scanandrace.com"; dns.query; content:"authentification.scanandrace.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])authentification\.scanandrace\.com$/i"; classtype:trojan-activity; sid:4103391; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname authentification.scanandrace.com"; flow:to_server,established; http.header; content: "Host|3a| authentification.scanandrace.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])authentification\.scanandrace\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103392; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain autocoolradiator.in"; dns.query; content:"autocoolradiator.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])autocoolradiator\.in$/i"; classtype:trojan-activity; sid:4103401; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain autocoolradiator.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"autocoolradiator.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])autocoolradiator\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103402; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain avegatasta.com"; dns.query; content:"avegatasta.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])avegatasta\.com$/i"; classtype:trojan-activity; sid:4103411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain avegatasta.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"avegatasta.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])avegatasta\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103412; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain backlinksminer.com"; dns.query; content:"backlinksminer.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])backlinksminer\.com$/i"; classtype:trojan-activity; sid:4103421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain backlinksminer.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"backlinksminer.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])backlinksminer\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103422; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain balkaninfo.me"; dns.query; content:"balkaninfo.me"; nocase; pcre: "/(^|[^A-Za-z0-9-])balkaninfo\.me$/i"; classtype:trojan-activity; sid:4103431; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain balkaninfo.me"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"balkaninfo.me"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])balkaninfo\.me[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103432; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain bandamarecheia.com"; dns.query; content:"bandamarecheia.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bandamarecheia\.com$/i"; classtype:trojan-activity; sid:4103441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain bandamarecheia.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bandamarecheia.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bandamarecheia\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103442; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain bankunited.online"; dns.query; content:"bankunited.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])bankunited\.online$/i"; classtype:trojan-activity; sid:4103451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain bankunited.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bankunited.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bankunited\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103452; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain banyanproductosacupuntura.com"; dns.query; content:"banyanproductosacupuntura.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])banyanproductosacupuntura\.com$/i"; classtype:trojan-activity; sid:4103461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain banyanproductosacupuntura.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"banyanproductosacupuntura.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])banyanproductosacupuntura\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103462; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain banyumili.co"; dns.query; content:"banyumili.co"; nocase; pcre: "/(^|[^A-Za-z0-9-])banyumili\.co$/i"; classtype:trojan-activity; sid:4103471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain banyumili.co"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"banyumili.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])banyumili\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103472; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain bapintek.com"; dns.query; content:"bapintek.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bapintek\.com$/i"; classtype:trojan-activity; sid:4103481; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain bapintek.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bapintek.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bapintek\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103482; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain bartek-lenart.pl"; dns.query; content:"bartek-lenart.pl"; nocase; pcre: "/(^|[^A-Za-z0-9-])bartek\-lenart\.pl$/i"; classtype:trojan-activity; sid:4103491; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain bartek-lenart.pl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bartek-lenart.pl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bartek\-lenart\.pl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103492; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain basicslab.co"; dns.query; content:"basicslab.co"; nocase; pcre: "/(^|[^A-Za-z0-9-])basicslab\.co$/i"; classtype:trojan-activity; sid:4103501; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain basicslab.co"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"basicslab.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])basicslab\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103502; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain bazy.ps"; dns.query; content:"bazy.ps"; nocase; pcre: "/(^|[^A-Za-z0-9-])bazy\.ps$/i"; classtype:trojan-activity; sid:4103511; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain bazy.ps"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bazy.ps"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bazy\.ps[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103512; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain bbaschools.com"; dns.query; content:"bbaschools.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bbaschools\.com$/i"; classtype:trojan-activity; sid:4103521; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain bbaschools.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bbaschools.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bbaschools\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103522; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain beautifulgist.com"; dns.query; content:"beautifulgist.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])beautifulgist\.com$/i"; classtype:trojan-activity; sid:4103531; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain beautifulgist.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"beautifulgist.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])beautifulgist\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103532; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname bengali.iu.ac.bd"; dns.query; content:"bengali.iu.ac.bd"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bengali\.iu\.ac\.bd$/i"; classtype:trojan-activity; sid:4103541; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname bengali.iu.ac.bd"; flow:to_server,established; http.header; content: "Host|3a| bengali.iu.ac.bd"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bengali\.iu\.ac\.bd[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103542; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain bestebroker.de"; dns.query; content:"bestebroker.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])bestebroker\.de$/i"; classtype:trojan-activity; sid:4103551; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain bestebroker.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bestebroker.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bestebroker\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103552; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain bet-club.co"; dns.query; content:"bet-club.co"; nocase; pcre: "/(^|[^A-Za-z0-9-])bet\-club\.co$/i"; classtype:trojan-activity; sid:4103561; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain bet-club.co"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bet-club.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bet\-club\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103562; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain bioelectronicgroup.com"; dns.query; content:"bioelectronicgroup.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bioelectronicgroup\.com$/i"; classtype:trojan-activity; sid:4103571; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain bioelectronicgroup.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bioelectronicgroup.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bioelectronicgroup\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103572; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname bitcoin-up.bafflepoetry.org"; dns.query; content:"bitcoin-up.bafflepoetry.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bitcoin\-up\.bafflepoetry\.org$/i"; classtype:trojan-activity; sid:4103581; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname bitcoin-up.bafflepoetry.org"; flow:to_server,established; http.header; content: "Host|3a| bitcoin-up.bafflepoetry.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bitcoin\-up\.bafflepoetry\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103582; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain biznisblog.com"; dns.query; content:"biznisblog.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])biznisblog\.com$/i"; classtype:trojan-activity; sid:4103591; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain biznisblog.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"biznisblog.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])biznisblog\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103592; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain blackbirdcreekfarms.com"; dns.query; content:"blackbirdcreekfarms.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])blackbirdcreekfarms\.com$/i"; classtype:trojan-activity; sid:4103601; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain blackbirdcreekfarms.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"blackbirdcreekfarms.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])blackbirdcreekfarms\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103602; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain bluebirdbeverages.in"; dns.query; content:"bluebirdbeverages.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])bluebirdbeverages\.in$/i"; classtype:trojan-activity; sid:4103611; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain bluebirdbeverages.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bluebirdbeverages.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bluebirdbeverages\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103612; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain blueseagroups.com"; dns.query; content:"blueseagroups.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])blueseagroups\.com$/i"; classtype:trojan-activity; sid:4103621; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain blueseagroups.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"blueseagroups.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])blueseagroups\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103622; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname bonus.corporatebusinessmachines.co.in"; dns.query; content:"bonus.corporatebusinessmachines.co.in"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bonus\.corporatebusinessmachines\.co\.in$/i"; classtype:trojan-activity; sid:4103631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname bonus.corporatebusinessmachines.co.in"; flow:to_server,established; http.header; content: "Host|3a| bonus.corporatebusinessmachines.co.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bonus\.corporatebusinessmachines\.co\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103632; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname bonusvulkanvegas.srdm.in"; dns.query; content:"bonusvulkanvegas.srdm.in"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bonusvulkanvegas\.srdm\.in$/i"; classtype:trojan-activity; sid:4103641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname bonusvulkanvegas.srdm.in"; flow:to_server,established; http.header; content: "Host|3a| bonusvulkanvegas.srdm.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bonusvulkanvegas\.srdm\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103642; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain bookaloid.in"; dns.query; content:"bookaloid.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])bookaloid\.in$/i"; classtype:trojan-activity; sid:4103651; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain bookaloid.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bookaloid.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bookaloid\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103652; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain brainzexchange.com"; dns.query; content:"brainzexchange.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])brainzexchange\.com$/i"; classtype:trojan-activity; sid:4103661; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain brainzexchange.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"brainzexchange.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])brainzexchange\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103662; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain bricopetvzla.com"; dns.query; content:"bricopetvzla.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bricopetvzla\.com$/i"; classtype:trojan-activity; sid:4103671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain bricopetvzla.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bricopetvzla.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bricopetvzla\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103672; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain builtbvbh-com.gq"; dns.query; content:"builtbvbh-com.gq"; nocase; pcre: "/(^|[^A-Za-z0-9-])builtbvbh\-com\.gq$/i"; classtype:trojan-activity; sid:4103681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain builtbvbh-com.gq"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"builtbvbh-com.gq"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])builtbvbh\-com\.gq[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103682; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain builtbybh-com.gq"; dns.query; content:"builtbybh-com.gq"; nocase; pcre: "/(^|[^A-Za-z0-9-])builtbybh\-com\.gq$/i"; classtype:trojan-activity; sid:4103691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain builtbybh-com.gq"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"builtbybh-com.gq"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])builtbybh\-com\.gq[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103692; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain builtybybh-com.gq"; dns.query; content:"builtybybh-com.gq"; nocase; pcre: "/(^|[^A-Za-z0-9-])builtybybh\-com\.gq$/i"; classtype:trojan-activity; sid:4103701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain builtybybh-com.gq"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"builtybybh-com.gq"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])builtybybh\-com\.gq[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103702; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain buronisrl.uy"; dns.query; content:"buronisrl.uy"; nocase; pcre: "/(^|[^A-Za-z0-9-])buronisrl\.uy$/i"; classtype:trojan-activity; sid:4103711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain buronisrl.uy"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"buronisrl.uy"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])buronisrl\.uy[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103712; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain business-kpis.cf"; dns.query; content:"business-kpis.cf"; nocase; pcre: "/(^|[^A-Za-z0-9-])business\-kpis\.cf$/i"; classtype:trojan-activity; sid:4103721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain business-kpis.cf"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"business-kpis.cf"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])business\-kpis\.cf[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103722; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain business-kpis.ga"; dns.query; content:"business-kpis.ga"; nocase; pcre: "/(^|[^A-Za-z0-9-])business\-kpis\.ga$/i"; classtype:trojan-activity; sid:4103731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain business-kpis.ga"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"business-kpis.ga"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])business\-kpis\.ga[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103732; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain bussiness-z.ml"; dns.query; content:"bussiness-z.ml"; nocase; pcre: "/(^|[^A-Za-z0-9-])bussiness\-z\.ml$/i"; classtype:trojan-activity; sid:4103741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain bussiness-z.ml"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bussiness-z.ml"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bussiness\-z\.ml[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103742; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain cablingpoint.com"; dns.query; content:"cablingpoint.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])cablingpoint\.com$/i"; classtype:trojan-activity; sid:4103751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain cablingpoint.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cablingpoint.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cablingpoint\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103752; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain callgirlsandescortkenya.site"; dns.query; content:"callgirlsandescortkenya.site"; nocase; pcre: "/(^|[^A-Za-z0-9-])callgirlsandescortkenya\.site$/i"; classtype:trojan-activity; sid:4103761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain callgirlsandescortkenya.site"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"callgirlsandescortkenya.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])callgirlsandescortkenya\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103762; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain capconstrucciones.com"; dns.query; content:"capconstrucciones.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])capconstrucciones\.com$/i"; classtype:trojan-activity; sid:4103771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain capconstrucciones.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"capconstrucciones.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])capconstrucciones\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103772; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain cargoconsultgroup.com"; dns.query; content:"cargoconsultgroup.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])cargoconsultgroup\.com$/i"; classtype:trojan-activity; sid:4103781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain cargoconsultgroup.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cargoconsultgroup.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cargoconsultgroup\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103782; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain cavisaoil.com"; dns.query; content:"cavisaoil.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])cavisaoil\.com$/i"; classtype:trojan-activity; sid:4103791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain cavisaoil.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cavisaoil.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cavisaoil\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103792; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain cctvfiles.xyz"; dns.query; content:"cctvfiles.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])cctvfiles\.xyz$/i"; classtype:trojan-activity; sid:4103801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain cctvfiles.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cctvfiles.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cctvfiles\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103802; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain cdelean.org"; dns.query; content:"cdelean.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])cdelean\.org$/i"; classtype:trojan-activity; sid:4103811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain cdelean.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cdelean.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cdelean\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103812; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname cdn.stattimes.com"; dns.query; content:"cdn.stattimes.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cdn\.stattimes\.com$/i"; classtype:trojan-activity; sid:4103821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname cdn.stattimes.com"; flow:to_server,established; http.header; content: "Host|3a| cdn.stattimes.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cdn\.stattimes\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103822; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname celulasmadreenmexico.com.mx"; dns.query; content:"celulasmadreenmexico.com.mx"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])celulasmadreenmexico\.com\.mx$/i"; classtype:trojan-activity; sid:4103831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname celulasmadreenmexico.com.mx"; flow:to_server,established; http.header; content: "Host|3a| celulasmadreenmexico.com.mx"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])celulasmadreenmexico\.com\.mx[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103832; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain centralfloridaasphalt.com"; dns.query; content:"centralfloridaasphalt.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])centralfloridaasphalt\.com$/i"; classtype:trojan-activity; sid:4103841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain centralfloridaasphalt.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"centralfloridaasphalt.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])centralfloridaasphalt\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103842; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain cfamedia.org"; dns.query; content:"cfamedia.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])cfamedia\.org$/i"; classtype:trojan-activity; sid:4103851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain cfamedia.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cfamedia.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cfamedia\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103852; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname chaturanga.groopy.com"; dns.query; content:"chaturanga.groopy.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])chaturanga\.groopy\.com$/i"; classtype:trojan-activity; sid:4103861; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname chaturanga.groopy.com"; flow:to_server,established; http.header; content: "Host|3a| chaturanga.groopy.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])chaturanga\.groopy\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103862; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain chentamizhconstruction.com"; dns.query; content:"chentamizhconstruction.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])chentamizhconstruction\.com$/i"; classtype:trojan-activity; sid:4103871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain chentamizhconstruction.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"chentamizhconstruction.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])chentamizhconstruction\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103872; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain chkto.com"; dns.query; content:"chkto.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])chkto\.com$/i"; classtype:trojan-activity; sid:4103881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain chkto.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"chkto.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])chkto\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103882; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain chop-shop.ro"; dns.query; content:"chop-shop.ro"; nocase; pcre: "/(^|[^A-Za-z0-9-])chop\-shop\.ro$/i"; classtype:trojan-activity; sid:4103891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain chop-shop.ro"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"chop-shop.ro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])chop\-shop\.ro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103892; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain christianmarriageacademy.org"; dns.query; content:"christianmarriageacademy.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])christianmarriageacademy\.org$/i"; classtype:trojan-activity; sid:4103901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain christianmarriageacademy.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"christianmarriageacademy.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])christianmarriageacademy\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103902; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain civilengineeringportal.info"; dns.query; content:"civilengineeringportal.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])civilengineeringportal\.info$/i"; classtype:trojan-activity; sid:4103911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain civilengineeringportal.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"civilengineeringportal.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])civilengineeringportal\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103912; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain clipsuri-auto.ro"; dns.query; content:"clipsuri-auto.ro"; nocase; pcre: "/(^|[^A-Za-z0-9-])clipsuri\-auto\.ro$/i"; classtype:trojan-activity; sid:4103921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain clipsuri-auto.ro"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"clipsuri-auto.ro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])clipsuri\-auto\.ro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103922; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain coachconsultdublin.com"; dns.query; content:"coachconsultdublin.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])coachconsultdublin\.com$/i"; classtype:trojan-activity; sid:4103931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain coachconsultdublin.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"coachconsultdublin.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])coachconsultdublin\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103932; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain coalkosas.com"; dns.query; content:"coalkosas.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])coalkosas\.com$/i"; classtype:trojan-activity; sid:4103941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain coalkosas.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"coalkosas.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])coalkosas\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103942; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain coastalhighschool.com"; dns.query; content:"coastalhighschool.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])coastalhighschool\.com$/i"; classtype:trojan-activity; sid:4103951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain coastalhighschool.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"coastalhighschool.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])coastalhighschool\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103952; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain coffee-service-phuket.com"; dns.query; content:"coffee-service-phuket.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])coffee\-service\-phuket\.com$/i"; classtype:trojan-activity; sid:4103961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain coffee-service-phuket.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"coffee-service-phuket.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])coffee\-service\-phuket\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103962; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname colegiobilinguepioxii.com.co"; dns.query; content:"colegiobilinguepioxii.com.co"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])colegiobilinguepioxii\.com\.co$/i"; classtype:trojan-activity; sid:4103971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname colegiobilinguepioxii.com.co"; flow:to_server,established; http.header; content: "Host|3a| colegiobilinguepioxii.com.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])colegiobilinguepioxii\.com\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103972; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain colorshine.net"; dns.query; content:"colorshine.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])colorshine\.net$/i"; classtype:trojan-activity; sid:4103981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain colorshine.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"colorshine.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])colorshine\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103982; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain comercializadoramarza.com"; dns.query; content:"comercializadoramarza.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])comercializadoramarza\.com$/i"; classtype:trojan-activity; sid:4103991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain comercializadoramarza.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"comercializadoramarza.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])comercializadoramarza\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4103992; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain comercialmarvic.cl"; dns.query; content:"comercialmarvic.cl"; nocase; pcre: "/(^|[^A-Za-z0-9-])comercialmarvic\.cl$/i"; classtype:trojan-activity; sid:4104001; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain comercialmarvic.cl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"comercialmarvic.cl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])comercialmarvic\.cl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104002; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain commercialroof.org"; dns.query; content:"commercialroof.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])commercialroof\.org$/i"; classtype:trojan-activity; sid:4104011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain commercialroof.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"commercialroof.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])commercialroof\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104012; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain commercialroofmemphis.com"; dns.query; content:"commercialroofmemphis.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])commercialroofmemphis\.com$/i"; classtype:trojan-activity; sid:4104021; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain commercialroofmemphis.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"commercialroofmemphis.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])commercialroofmemphis\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104022; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain comoengravidar.site"; dns.query; content:"comoengravidar.site"; nocase; pcre: "/(^|[^A-Za-z0-9-])comoengravidar\.site$/i"; classtype:trojan-activity; sid:4104031; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain comoengravidar.site"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"comoengravidar.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])comoengravidar\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104032; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain comopel.com"; dns.query; content:"comopel.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])comopel\.com$/i"; classtype:trojan-activity; sid:4104041; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain comopel.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"comopel.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])comopel\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104042; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain compelsa.com"; dns.query; content:"compelsa.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])compelsa\.com$/i"; classtype:trojan-activity; sid:4104051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain compelsa.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"compelsa.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])compelsa\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104052; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain complejobotanico.com"; dns.query; content:"complejobotanico.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])complejobotanico\.com$/i"; classtype:trojan-activity; sid:4104061; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain complejobotanico.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"complejobotanico.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])complejobotanico\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104062; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain conartedemujer.com"; dns.query; content:"conartedemujer.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])conartedemujer\.com$/i"; classtype:trojan-activity; sid:4104071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain conartedemujer.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"conartedemujer.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])conartedemujer\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104072; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain conde-granados.com"; dns.query; content:"conde-granados.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])conde\-granados\.com$/i"; classtype:trojan-activity; sid:4104081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain conde-granados.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"conde-granados.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])conde\-granados\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104082; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain containerlafamilia.cl"; dns.query; content:"containerlafamilia.cl"; nocase; pcre: "/(^|[^A-Za-z0-9-])containerlafamilia\.cl$/i"; classtype:trojan-activity; sid:4104091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain containerlafamilia.cl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"containerlafamilia.cl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])containerlafamilia\.cl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104092; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain control-ye.com"; dns.query; content:"control-ye.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])control\-ye\.com$/i"; classtype:trojan-activity; sid:4104101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain control-ye.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"control-ye.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])control\-ye\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104102; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain contursystem.ro"; dns.query; content:"contursystem.ro"; nocase; pcre: "/(^|[^A-Za-z0-9-])contursystem\.ro$/i"; classtype:trojan-activity; sid:4104111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain contursystem.ro"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"contursystem.ro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])contursystem\.ro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104112; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain corpsme.com"; dns.query; content:"corpsme.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])corpsme\.com$/i"; classtype:trojan-activity; sid:4104121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain corpsme.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"corpsme.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])corpsme\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104122; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain cortinastelasytrazos.com"; dns.query; content:"cortinastelasytrazos.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])cortinastelasytrazos\.com$/i"; classtype:trojan-activity; sid:4104131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain cortinastelasytrazos.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cortinastelasytrazos.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cortinastelasytrazos\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104132; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain covertekceramica.com"; dns.query; content:"covertekceramica.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])covertekceramica\.com$/i"; classtype:trojan-activity; sid:4104141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain covertekceramica.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"covertekceramica.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])covertekceramica\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104142; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain createur-multimedia.com"; dns.query; content:"createur-multimedia.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])createur\-multimedia\.com$/i"; classtype:trojan-activity; sid:4104151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain createur-multimedia.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"createur-multimedia.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])createur\-multimedia\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104152; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain crecercultivos.com"; dns.query; content:"crecercultivos.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])crecercultivos\.com$/i"; classtype:trojan-activity; sid:4104161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain crecercultivos.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"crecercultivos.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])crecercultivos\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104162; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain cronictechnologies.com"; dns.query; content:"cronictechnologies.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])cronictechnologies\.com$/i"; classtype:trojan-activity; sid:4104171; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain cronictechnologies.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cronictechnologies.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cronictechnologies\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104172; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain csiap.lk"; dns.query; content:"csiap.lk"; nocase; pcre: "/(^|[^A-Za-z0-9-])csiap\.lk$/i"; classtype:trojan-activity; sid:4104181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain csiap.lk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"csiap.lk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])csiap\.lk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104182; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain curadincubator.org"; dns.query; content:"curadincubator.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])curadincubator\.org$/i"; classtype:trojan-activity; sid:4104191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain curadincubator.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"curadincubator.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])curadincubator\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104192; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain customketodiet.net"; dns.query; content:"customketodiet.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])customketodiet\.net$/i"; classtype:trojan-activity; sid:4104201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain customketodiet.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"customketodiet.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])customketodiet\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104202; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain dancongnghe.xyz"; dns.query; content:"dancongnghe.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])dancongnghe\.xyz$/i"; classtype:trojan-activity; sid:4104211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain dancongnghe.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dancongnghe.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dancongnghe\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104212; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain dasceq-com.gq"; dns.query; content:"dasceq-com.gq"; nocase; pcre: "/(^|[^A-Za-z0-9-])dasceq\-com\.gq$/i"; classtype:trojan-activity; sid:4104221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain dasceq-com.gq"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dasceq-com.gq"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dasceq\-com\.gq[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104222; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname dashboard.adlytic.ai"; dns.query; content:"dashboard.adlytic.ai"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dashboard\.adlytic\.ai$/i"; classtype:trojan-activity; sid:4104231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname dashboard.adlytic.ai"; flow:to_server,established; http.header; content: "Host|3a| dashboard.adlytic.ai"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dashboard\.adlytic\.ai[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104232; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain deanandwilconstruction.com"; dns.query; content:"deanandwilconstruction.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])deanandwilconstruction\.com$/i"; classtype:trojan-activity; sid:4104241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain deanandwilconstruction.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"deanandwilconstruction.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])deanandwilconstruction\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104242; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain decimaai.com"; dns.query; content:"decimaai.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])decimaai\.com$/i"; classtype:trojan-activity; sid:4104251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain decimaai.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"decimaai.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])decimaai\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104252; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain delightautomation.com"; dns.query; content:"delightautomation.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])delightautomation\.com$/i"; classtype:trojan-activity; sid:4104261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain delightautomation.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"delightautomation.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])delightautomation\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104262; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname demo.360degreeinfo.co"; dns.query; content:"demo.360degreeinfo.co"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])demo\.360degreeinfo\.co$/i"; classtype:trojan-activity; sid:4104271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname demo.360degreeinfo.co"; flow:to_server,established; http.header; content: "Host|3a| demo.360degreeinfo.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])demo\.360degreeinfo\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104272; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain dentalobelisco.com"; dns.query; content:"dentalobelisco.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])dentalobelisco\.com$/i"; classtype:trojan-activity; sid:4104281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain dentalobelisco.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dentalobelisco.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dentalobelisco\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104282; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain designvision.in"; dns.query; content:"designvision.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])designvision\.in$/i"; classtype:trojan-activity; sid:4104291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain designvision.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"designvision.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])designvision\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104292; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain dezautosam.ro"; dns.query; content:"dezautosam.ro"; nocase; pcre: "/(^|[^A-Za-z0-9-])dezautosam\.ro$/i"; classtype:trojan-activity; sid:4104301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain dezautosam.ro"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dezautosam.ro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dezautosam\.ro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104302; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain dhyaravi.com"; dns.query; content:"dhyaravi.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])dhyaravi\.com$/i"; classtype:trojan-activity; sid:4104311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain dhyaravi.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dhyaravi.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dhyaravi\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104312; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain digitalmaster.online"; dns.query; content:"digitalmaster.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])digitalmaster\.online$/i"; classtype:trojan-activity; sid:4104321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain digitalmaster.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"digitalmaster.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])digitalmaster\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104322; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain digitalmeritmedia.com"; dns.query; content:"digitalmeritmedia.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])digitalmeritmedia\.com$/i"; classtype:trojan-activity; sid:4104331; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain digitalmeritmedia.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"digitalmeritmedia.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])digitalmeritmedia\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104332; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain dimaloc07.com"; dns.query; content:"dimaloc07.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])dimaloc07\.com$/i"; classtype:trojan-activity; sid:4104341; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain dimaloc07.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dimaloc07.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dimaloc07\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104342; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain dissertationhelp.online"; dns.query; content:"dissertationhelp.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])dissertationhelp\.online$/i"; classtype:trojan-activity; sid:4104351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain dissertationhelp.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dissertationhelp.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dissertationhelp\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104352; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain doanalytics.net"; dns.query; content:"doanalytics.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])doanalytics\.net$/i"; classtype:trojan-activity; sid:4104361; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain doanalytics.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"doanalytics.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])doanalytics\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104362; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain duamarketing.com"; dns.query; content:"duamarketing.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])duamarketing\.com$/i"; classtype:trojan-activity; sid:4104371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain duamarketing.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"duamarketing.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])duamarketing\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104372; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain dv-hero.com"; dns.query; content:"dv-hero.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])dv\-hero\.com$/i"; classtype:trojan-activity; sid:4104381; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain dv-hero.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dv-hero.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dv\-hero\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104382; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain dzairvoyages.com"; dns.query; content:"dzairvoyages.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])dzairvoyages\.com$/i"; classtype:trojan-activity; sid:4104391; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain dzairvoyages.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dzairvoyages.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dzairvoyages\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104392; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain ebrouteindia.com"; dns.query; content:"ebrouteindia.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ebrouteindia\.com$/i"; classtype:trojan-activity; sid:4104401; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain ebrouteindia.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ebrouteindia.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ebrouteindia\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104402; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain ecp-egy.com"; dns.query; content:"ecp-egy.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ecp\-egy\.com$/i"; classtype:trojan-activity; sid:4104411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain ecp-egy.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ecp-egy.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ecp\-egy\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104412; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain edmeeoutfit.com"; dns.query; content:"edmeeoutfit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])edmeeoutfit\.com$/i"; classtype:trojan-activity; sid:4104421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain edmeeoutfit.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"edmeeoutfit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])edmeeoutfit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104422; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain eduardoexcell.com"; dns.query; content:"eduardoexcell.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])eduardoexcell\.com$/i"; classtype:trojan-activity; sid:4104431; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain eduardoexcell.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"eduardoexcell.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])eduardoexcell\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104432; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain egalaspot.com"; dns.query; content:"egalaspot.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])egalaspot\.com$/i"; classtype:trojan-activity; sid:4104441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain egalaspot.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"egalaspot.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])egalaspot\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104442; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain elcapitanzheimer.com"; dns.query; content:"elcapitanzheimer.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])elcapitanzheimer\.com$/i"; classtype:trojan-activity; sid:4104451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain elcapitanzheimer.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"elcapitanzheimer.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])elcapitanzheimer\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104452; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain elenigogos.com"; dns.query; content:"elenigogos.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])elenigogos\.com$/i"; classtype:trojan-activity; sid:4104461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain elenigogos.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"elenigogos.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])elenigogos\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104462; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname elitekhatsacco.co.ke"; dns.query; content:"elitekhatsacco.co.ke"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])elitekhatsacco\.co\.ke$/i"; classtype:trojan-activity; sid:4104471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname elitekhatsacco.co.ke"; flow:to_server,established; http.header; content: "Host|3a| elitekhatsacco.co.ke"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])elitekhatsacco\.co\.ke[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104472; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname empresas.ecohertz.com.br"; dns.query; content:"empresas.ecohertz.com.br"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])empresas\.ecohertz\.com\.br$/i"; classtype:trojan-activity; sid:4104481; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname empresas.ecohertz.com.br"; flow:to_server,established; http.header; content: "Host|3a| empresas.ecohertz.com.br"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])empresas\.ecohertz\.com\.br[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104482; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname ems.prodigygroupindia.com"; dns.query; content:"ems.prodigygroupindia.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ems\.prodigygroupindia\.com$/i"; classtype:trojan-activity; sid:4104491; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname ems.prodigygroupindia.com"; flow:to_server,established; http.header; content: "Host|3a| ems.prodigygroupindia.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ems\.prodigygroupindia\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104492; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain enjoytouring.ro"; dns.query; content:"enjoytouring.ro"; nocase; pcre: "/(^|[^A-Za-z0-9-])enjoytouring\.ro$/i"; classtype:trojan-activity; sid:4104501; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain enjoytouring.ro"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"enjoytouring.ro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])enjoytouring\.ro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104502; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain enlacelaboral.com"; dns.query; content:"enlacelaboral.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])enlacelaboral\.com$/i"; classtype:trojan-activity; sid:4104511; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain enlacelaboral.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"enlacelaboral.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])enlacelaboral\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104512; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain epyllion.foundation"; dns.query; content:"epyllion.foundation"; nocase; pcre: "/(^|[^A-Za-z0-9-])epyllion\.foundation$/i"; classtype:trojan-activity; sid:4104521; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain epyllion.foundation"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"epyllion.foundation"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])epyllion\.foundation[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104522; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain eresourcesmoneymarket.com"; dns.query; content:"eresourcesmoneymarket.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])eresourcesmoneymarket\.com$/i"; classtype:trojan-activity; sid:4104531; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain eresourcesmoneymarket.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"eresourcesmoneymarket.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])eresourcesmoneymarket\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104532; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain erkent.net"; dns.query; content:"erkent.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])erkent\.net$/i"; classtype:trojan-activity; sid:4104541; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain erkent.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"erkent.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])erkent\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104542; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain ethlearning.com"; dns.query; content:"ethlearning.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ethlearning\.com$/i"; classtype:trojan-activity; sid:4104551; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain ethlearning.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ethlearning.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ethlearning\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104552; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain fahzalshahrel.com"; dns.query; content:"fahzalshahrel.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])fahzalshahrel\.com$/i"; classtype:trojan-activity; sid:4104561; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain fahzalshahrel.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fahzalshahrel.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fahzalshahrel\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104562; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain fbg.ge"; dns.query; content:"fbg.ge"; nocase; pcre: "/(^|[^A-Za-z0-9-])fbg\.ge$/i"; classtype:trojan-activity; sid:4104571; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain fbg.ge"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fbg.ge"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fbg\.ge[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104572; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain femioyekolaandco.com"; dns.query; content:"femioyekolaandco.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])femioyekolaandco\.com$/i"; classtype:trojan-activity; sid:4104581; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain femioyekolaandco.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"femioyekolaandco.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])femioyekolaandco\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104582; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain ferispnp.com"; dns.query; content:"ferispnp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ferispnp\.com$/i"; classtype:trojan-activity; sid:4104591; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain ferispnp.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ferispnp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ferispnp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104592; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain fisioterapiadomiciliare.com"; dns.query; content:"fisioterapiadomiciliare.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])fisioterapiadomiciliare\.com$/i"; classtype:trojan-activity; sid:4104601; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain fisioterapiadomiciliare.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fisioterapiadomiciliare.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fisioterapiadomiciliare\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104602; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain flyershipmanager.com"; dns.query; content:"flyershipmanager.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])flyershipmanager\.com$/i"; classtype:trojan-activity; sid:4104611; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain flyershipmanager.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"flyershipmanager.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])flyershipmanager\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104612; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname focus.focalrack.com"; dns.query; content:"focus.focalrack.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])focus\.focalrack\.com$/i"; classtype:trojan-activity; sid:4104621; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname focus.focalrack.com"; flow:to_server,established; http.header; content: "Host|3a| focus.focalrack.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])focus\.focalrack\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104622; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain fondationgeneralakissi.org"; dns.query; content:"fondationgeneralakissi.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])fondationgeneralakissi\.org$/i"; classtype:trojan-activity; sid:4104631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain fondationgeneralakissi.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fondationgeneralakissi.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fondationgeneralakissi\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104632; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain fuerzamotriz2021.com"; dns.query; content:"fuerzamotriz2021.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])fuerzamotriz2021\.com$/i"; classtype:trojan-activity; sid:4104641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain fuerzamotriz2021.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fuerzamotriz2021.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fuerzamotriz2021\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104642; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain fundacionverdaderosheroes.com"; dns.query; content:"fundacionverdaderosheroes.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])fundacionverdaderosheroes\.com$/i"; classtype:trojan-activity; sid:4104651; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain fundacionverdaderosheroes.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fundacionverdaderosheroes.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fundacionverdaderosheroes\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104652; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain fundacionverdaderosheroes.org"; dns.query; content:"fundacionverdaderosheroes.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])fundacionverdaderosheroes\.org$/i"; classtype:trojan-activity; sid:4104661; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain fundacionverdaderosheroes.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fundacionverdaderosheroes.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fundacionverdaderosheroes\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104662; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain funerariasperu.com"; dns.query; content:"funerariasperu.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])funerariasperu\.com$/i"; classtype:trojan-activity; sid:4104671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain funerariasperu.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"funerariasperu.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])funerariasperu\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104672; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname gadhwadasamaj.techofi.in"; dns.query; content:"gadhwadasamaj.techofi.in"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])gadhwadasamaj\.techofi\.in$/i"; classtype:trojan-activity; sid:4104681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname gadhwadasamaj.techofi.in"; flow:to_server,established; http.header; content: "Host|3a| gadhwadasamaj.techofi.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])gadhwadasamaj\.techofi\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104682; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain gclub999.club"; dns.query; content:"gclub999.club"; nocase; pcre: "/(^|[^A-Za-z0-9-])gclub999\.club$/i"; classtype:trojan-activity; sid:4104691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain gclub999.club"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gclub999.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gclub999\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104692; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain generacciondigital.org"; dns.query; content:"generacciondigital.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])generacciondigital\.org$/i"; classtype:trojan-activity; sid:4104701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain generacciondigital.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"generacciondigital.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])generacciondigital\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104702; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain generatorulubabanu.ro"; dns.query; content:"generatorulubabanu.ro"; nocase; pcre: "/(^|[^A-Za-z0-9-])generatorulubabanu\.ro$/i"; classtype:trojan-activity; sid:4104711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain generatorulubabanu.ro"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"generatorulubabanu.ro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])generatorulubabanu\.ro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104712; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname gerencial.institutoacqua.org.br"; dns.query; content:"gerencial.institutoacqua.org.br"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])gerencial\.institutoacqua\.org\.br$/i"; classtype:trojan-activity; sid:4104721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname gerencial.institutoacqua.org.br"; flow:to_server,established; http.header; content: "Host|3a| gerencial.institutoacqua.org.br"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])gerencial\.institutoacqua\.org\.br[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104722; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain ghapan.com"; dns.query; content:"ghapan.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ghapan\.com$/i"; classtype:trojan-activity; sid:4104731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain ghapan.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ghapan.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ghapan\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104732; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname giasuphire.tddvn.com"; dns.query; content:"giasuphire.tddvn.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])giasuphire\.tddvn\.com$/i"; classtype:trojan-activity; sid:4104741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname giasuphire.tddvn.com"; flow:to_server,established; http.header; content: "Host|3a| giasuphire.tddvn.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])giasuphire\.tddvn\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104742; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain gitamschool.com"; dns.query; content:"gitamschool.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])gitamschool\.com$/i"; classtype:trojan-activity; sid:4104751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain gitamschool.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gitamschool.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gitamschool\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104752; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain globaldeeds.org"; dns.query; content:"globaldeeds.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])globaldeeds\.org$/i"; classtype:trojan-activity; sid:4104761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain globaldeeds.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"globaldeeds.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])globaldeeds\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104762; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname gmanews.netw0rk.xyz"; dns.query; content:"gmanews.netw0rk.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])gmanews\.netw0rk\.xyz$/i"; classtype:trojan-activity; sid:4104771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname gmanews.netw0rk.xyz"; flow:to_server,established; http.header; content: "Host|3a| gmanews.netw0rk.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])gmanews\.netw0rk\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104772; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain gmanewsupdates.xyz"; dns.query; content:"gmanewsupdates.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])gmanewsupdates\.xyz$/i"; classtype:trojan-activity; sid:4104781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain gmanewsupdates.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gmanewsupdates.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gmanewsupdates\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104782; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain gorankings.net"; dns.query; content:"gorankings.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])gorankings\.net$/i"; classtype:trojan-activity; sid:4104791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain gorankings.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gorankings.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gorankings\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104792; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname gramya.techofi.in"; dns.query; content:"gramya.techofi.in"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])gramya\.techofi\.in$/i"; classtype:trojan-activity; sid:4104801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname gramya.techofi.in"; flow:to_server,established; http.header; content: "Host|3a| gramya.techofi.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])gramya\.techofi\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104802; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain greenconceptsjm.com"; dns.query; content:"greenconceptsjm.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])greenconceptsjm\.com$/i"; classtype:trojan-activity; sid:4104811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain greenconceptsjm.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"greenconceptsjm.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])greenconceptsjm\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104812; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain greentek.lk"; dns.query; content:"greentek.lk"; nocase; pcre: "/(^|[^A-Za-z0-9-])greentek\.lk$/i"; classtype:trojan-activity; sid:4104821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain greentek.lk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"greentek.lk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])greentek\.lk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104822; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain gruasingenieria.pe"; dns.query; content:"gruasingenieria.pe"; nocase; pcre: "/(^|[^A-Za-z0-9-])gruasingenieria\.pe$/i"; classtype:trojan-activity; sid:4104831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain gruasingenieria.pe"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gruasingenieria.pe"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gruasingenieria\.pe[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104832; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain grupocitytel.mx"; dns.query; content:"grupocitytel.mx"; nocase; pcre: "/(^|[^A-Za-z0-9-])grupocitytel\.mx$/i"; classtype:trojan-activity; sid:4104841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain grupocitytel.mx"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"grupocitytel.mx"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])grupocitytel\.mx[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104842; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain gruporaosari.com"; dns.query; content:"gruporaosari.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])gruporaosari\.com$/i"; classtype:trojan-activity; sid:4104851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain gruporaosari.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gruporaosari.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gruporaosari\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104852; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain gurdwaraaid.com"; dns.query; content:"gurdwaraaid.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])gurdwaraaid\.com$/i"; classtype:trojan-activity; sid:4104861; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain gurdwaraaid.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gurdwaraaid.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gurdwaraaid\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104862; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain gypsysanddunes.com"; dns.query; content:"gypsysanddunes.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])gypsysanddunes\.com$/i"; classtype:trojan-activity; sid:4104871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain gypsysanddunes.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gypsysanddunes.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gypsysanddunes\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104872; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain haleathers.com"; dns.query; content:"haleathers.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])haleathers\.com$/i"; classtype:trojan-activity; sid:4104881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain haleathers.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"haleathers.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])haleathers\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104882; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain hartwoodcrafts.com"; dns.query; content:"hartwoodcrafts.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])hartwoodcrafts\.com$/i"; classtype:trojan-activity; sid:4104891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain hartwoodcrafts.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hartwoodcrafts.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hartwoodcrafts\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104892; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain hazlo.global"; dns.query; content:"hazlo.global"; nocase; pcre: "/(^|[^A-Za-z0-9-])hazlo\.global$/i"; classtype:trojan-activity; sid:4104901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain hazlo.global"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hazlo.global"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hazlo\.global[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104902; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain hdweel.com"; dns.query; content:"hdweel.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])hdweel\.com$/i"; classtype:trojan-activity; sid:4104911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain hdweel.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hdweel.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hdweel\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104912; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain hindisaathi.in"; dns.query; content:"hindisaathi.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])hindisaathi\.in$/i"; classtype:trojan-activity; sid:4104921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain hindisaathi.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hindisaathi.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hindisaathi\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104922; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain hirimmigration.com"; dns.query; content:"hirimmigration.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])hirimmigration\.com$/i"; classtype:trojan-activity; sid:4104931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain hirimmigration.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hirimmigration.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hirimmigration\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104932; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain hisarsms.com"; dns.query; content:"hisarsms.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])hisarsms\.com$/i"; classtype:trojan-activity; sid:4104941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain hisarsms.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hisarsms.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hisarsms\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104942; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain hishamgraphics.com"; dns.query; content:"hishamgraphics.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])hishamgraphics\.com$/i"; classtype:trojan-activity; sid:4104951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain hishamgraphics.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hishamgraphics.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hishamgraphics\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104952; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain hitadolawfirm.com"; dns.query; content:"hitadolawfirm.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])hitadolawfirm\.com$/i"; classtype:trojan-activity; sid:4104961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain hitadolawfirm.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hitadolawfirm.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hitadolawfirm\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104962; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain hopechestintfoundation.org"; dns.query; content:"hopechestintfoundation.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])hopechestintfoundation\.org$/i"; classtype:trojan-activity; sid:4104971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain hopechestintfoundation.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hopechestintfoundation.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hopechestintfoundation\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104972; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname hrms.prodigygroupindia.com"; dns.query; content:"hrms.prodigygroupindia.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])hrms\.prodigygroupindia\.com$/i"; classtype:trojan-activity; sid:4104981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname hrms.prodigygroupindia.com"; flow:to_server,established; http.header; content: "Host|3a| hrms.prodigygroupindia.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])hrms\.prodigygroupindia\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104982; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain htaminorfault.xyz"; dns.query; content:"htaminorfault.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])htaminorfault\.xyz$/i"; classtype:trojan-activity; sid:4104991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain htaminorfault.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"htaminorfault.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])htaminorfault\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4104992; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain hustlerarena.com"; dns.query; content:"hustlerarena.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])hustlerarena\.com$/i"; classtype:trojan-activity; sid:4105001; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain hustlerarena.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hustlerarena.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hustlerarena\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105002; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain hvacsupportservices.com"; dns.query; content:"hvacsupportservices.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])hvacsupportservices\.com$/i"; classtype:trojan-activity; sid:4105011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain hvacsupportservices.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hvacsupportservices.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hvacsupportservices\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105012; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain iccibusiness.com"; dns.query; content:"iccibusiness.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])iccibusiness\.com$/i"; classtype:trojan-activity; sid:4105021; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain iccibusiness.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"iccibusiness.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])iccibusiness\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105022; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain ifiengineers.com"; dns.query; content:"ifiengineers.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ifiengineers\.com$/i"; classtype:trojan-activity; sid:4105031; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain ifiengineers.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ifiengineers.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ifiengineers\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105032; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain ifxsoccer.com"; dns.query; content:"ifxsoccer.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ifxsoccer\.com$/i"; classtype:trojan-activity; sid:4105041; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain ifxsoccer.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ifxsoccer.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ifxsoccer\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105042; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain igraonice.hr"; dns.query; content:"igraonice.hr"; nocase; pcre: "/(^|[^A-Za-z0-9-])igraonice\.hr$/i"; classtype:trojan-activity; sid:4105051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain igraonice.hr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"igraonice.hr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])igraonice\.hr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105052; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain iihs.online"; dns.query; content:"iihs.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])iihs\.online$/i"; classtype:trojan-activity; sid:4105061; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain iihs.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"iihs.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])iihs\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105062; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain immci.net"; dns.query; content:"immci.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])immci\.net$/i"; classtype:trojan-activity; sid:4105071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain immci.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"immci.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])immci\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105072; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain inboundgrp.com"; dns.query; content:"inboundgrp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])inboundgrp\.com$/i"; classtype:trojan-activity; sid:4105081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain inboundgrp.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"inboundgrp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])inboundgrp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105082; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname incentivaconsultores.com.co"; dns.query; content:"incentivaconsultores.com.co"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])incentivaconsultores\.com\.co$/i"; classtype:trojan-activity; sid:4105091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname incentivaconsultores.com.co"; flow:to_server,established; http.header; content: "Host|3a| incentivaconsultores.com.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])incentivaconsultores\.com\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105092; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain indiraalnatural.com"; dns.query; content:"indiraalnatural.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])indiraalnatural\.com$/i"; classtype:trojan-activity; sid:4105101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain indiraalnatural.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"indiraalnatural.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])indiraalnatural\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105102; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname inetworx.co.za"; dns.query; content:"inetworx.co.za"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])inetworx\.co\.za$/i"; classtype:trojan-activity; sid:4105111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname inetworx.co.za"; flow:to_server,established; http.header; content: "Host|3a| inetworx.co.za"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])inetworx\.co\.za[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105112; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain ingecolservices.com"; dns.query; content:"ingecolservices.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ingecolservices\.com$/i"; classtype:trojan-activity; sid:4105121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain ingecolservices.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ingecolservices.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ingecolservices\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105122; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain inlighttrans.com"; dns.query; content:"inlighttrans.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])inlighttrans\.com$/i"; classtype:trojan-activity; sid:4105131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain inlighttrans.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"inlighttrans.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])inlighttrans\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105132; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname insurance.akademiilmujaya.com"; dns.query; content:"insurance.akademiilmujaya.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])insurance\.akademiilmujaya\.com$/i"; classtype:trojan-activity; sid:4105141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname insurance.akademiilmujaya.com"; flow:to_server,established; http.header; content: "Host|3a| insurance.akademiilmujaya.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])insurance\.akademiilmujaya\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105142; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain intelmeda.com"; dns.query; content:"intelmeda.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])intelmeda\.com$/i"; classtype:trojan-activity; sid:4105151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain intelmeda.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"intelmeda.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])intelmeda\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105152; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain ipsmiderosvela.com"; dns.query; content:"ipsmiderosvela.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ipsmiderosvela\.com$/i"; classtype:trojan-activity; sid:4105161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain ipsmiderosvela.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ipsmiderosvela.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ipsmiderosvela\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105162; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain iptvboy.com"; dns.query; content:"iptvboy.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])iptvboy\.com$/i"; classtype:trojan-activity; sid:4105171; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain iptvboy.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"iptvboy.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])iptvboy\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105172; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain ivatask.com"; dns.query; content:"ivatask.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ivatask\.com$/i"; classtype:trojan-activity; sid:4105181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain ivatask.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ivatask.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ivatask\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105182; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain jatayuu.com"; dns.query; content:"jatayuu.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])jatayuu\.com$/i"; classtype:trojan-activity; sid:4105191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain jatayuu.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jatayuu.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jatayuu\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105192; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain jesussavestoday.com"; dns.query; content:"jesussavestoday.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])jesussavestoday\.com$/i"; classtype:trojan-activity; sid:4105201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain jesussavestoday.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jesussavestoday.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jesussavestoday\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105202; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain jewelrymegastores.com"; dns.query; content:"jewelrymegastores.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])jewelrymegastores\.com$/i"; classtype:trojan-activity; sid:4105211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain jewelrymegastores.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jewelrymegastores.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jewelrymegastores\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105212; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain jhehosting.com"; dns.query; content:"jhehosting.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])jhehosting\.com$/i"; classtype:trojan-activity; sid:4105221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain jhehosting.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jhehosting.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jhehosting\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105222; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain jobingulfs.com"; dns.query; content:"jobingulfs.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])jobingulfs\.com$/i"; classtype:trojan-activity; sid:4105231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain jobingulfs.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jobingulfs.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jobingulfs\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105232; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain jometro.com"; dns.query; content:"jometro.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])jometro\.com$/i"; classtype:trojan-activity; sid:4105241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain jometro.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jometro.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jometro\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105242; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname jvldrp.techofi.in"; dns.query; content:"jvldrp.techofi.in"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])jvldrp\.techofi\.in$/i"; classtype:trojan-activity; sid:4105251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname jvldrp.techofi.in"; flow:to_server,established; http.header; content: "Host|3a| jvldrp.techofi.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])jvldrp\.techofi\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105252; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain kaptarvill.hu"; dns.query; content:"kaptarvill.hu"; nocase; pcre: "/(^|[^A-Za-z0-9-])kaptarvill\.hu$/i"; classtype:trojan-activity; sid:4105261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain kaptarvill.hu"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kaptarvill.hu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kaptarvill\.hu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105262; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain katerinapapakosta.gr"; dns.query; content:"katerinapapakosta.gr"; nocase; pcre: "/(^|[^A-Za-z0-9-])katerinapapakosta\.gr$/i"; classtype:trojan-activity; sid:4105271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain katerinapapakosta.gr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"katerinapapakosta.gr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])katerinapapakosta\.gr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105272; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain kazema.my"; dns.query; content:"kazema.my"; nocase; pcre: "/(^|[^A-Za-z0-9-])kazema\.my$/i"; classtype:trojan-activity; sid:4105281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain kazema.my"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kazema.my"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kazema\.my[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105282; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain kemitafricatours.com"; dns.query; content:"kemitafricatours.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])kemitafricatours\.com$/i"; classtype:trojan-activity; sid:4105291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain kemitafricatours.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kemitafricatours.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kemitafricatours\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105292; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain key4net.com"; dns.query; content:"key4net.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])key4net\.com$/i"; classtype:trojan-activity; sid:4105301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain key4net.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"key4net.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])key4net\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105302; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname keysite.com.co"; dns.query; content:"keysite.com.co"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])keysite\.com\.co$/i"; classtype:trojan-activity; sid:4105311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname keysite.com.co"; flow:to_server,established; http.header; content: "Host|3a| keysite.com.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])keysite\.com\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105312; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain kiemtienty.com"; dns.query; content:"kiemtienty.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])kiemtienty\.com$/i"; classtype:trojan-activity; sid:4105321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain kiemtienty.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kiemtienty.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kiemtienty\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105322; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain kingstonschools.net"; dns.query; content:"kingstonschools.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])kingstonschools\.net$/i"; classtype:trojan-activity; sid:4105331; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain kingstonschools.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kingstonschools.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kingstonschools\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105332; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain kmslogistik.com"; dns.query; content:"kmslogistik.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])kmslogistik\.com$/i"; classtype:trojan-activity; sid:4105341; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain kmslogistik.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kmslogistik.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kmslogistik\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105342; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain kncci.in"; dns.query; content:"kncci.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])kncci\.in$/i"; classtype:trojan-activity; sid:4105351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain kncci.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kncci.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kncci\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105352; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain krumaila.com"; dns.query; content:"krumaila.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])krumaila\.com$/i"; classtype:trojan-activity; sid:4105361; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain krumaila.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"krumaila.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])krumaila\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105362; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain ktechnetwork.com"; dns.query; content:"ktechnetwork.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ktechnetwork\.com$/i"; classtype:trojan-activity; sid:4105371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain ktechnetwork.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ktechnetwork.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ktechnetwork\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105372; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain kupisha.pl"; dns.query; content:"kupisha.pl"; nocase; pcre: "/(^|[^A-Za-z0-9-])kupisha\.pl$/i"; classtype:trojan-activity; sid:4105381; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain kupisha.pl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kupisha.pl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kupisha\.pl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105382; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain landsiedel-rusch.com"; dns.query; content:"landsiedel-rusch.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])landsiedel\-rusch\.com$/i"; classtype:trojan-activity; sid:4105391; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain landsiedel-rusch.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"landsiedel-rusch.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])landsiedel\-rusch\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105392; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain lankadesigner.tk"; dns.query; content:"lankadesigner.tk"; nocase; pcre: "/(^|[^A-Za-z0-9-])lankadesigner\.tk$/i"; classtype:trojan-activity; sid:4105401; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain lankadesigner.tk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lankadesigner.tk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lankadesigner\.tk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105402; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain laronef.ro"; dns.query; content:"laronef.ro"; nocase; pcre: "/(^|[^A-Za-z0-9-])laronef\.ro$/i"; classtype:trojan-activity; sid:4105411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain laronef.ro"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"laronef.ro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])laronef\.ro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105412; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain latinbusinesspower.com"; dns.query; content:"latinbusinesspower.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])latinbusinesspower\.com$/i"; classtype:trojan-activity; sid:4105421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain latinbusinesspower.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"latinbusinesspower.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])latinbusinesspower\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105422; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain lawyerswatchforjustice.com"; dns.query; content:"lawyerswatchforjustice.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])lawyerswatchforjustice\.com$/i"; classtype:trojan-activity; sid:4105431; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain lawyerswatchforjustice.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lawyerswatchforjustice.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lawyerswatchforjustice\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105432; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname lead.jhinfotech.co"; dns.query; content:"lead.jhinfotech.co"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])lead\.jhinfotech\.co$/i"; classtype:trojan-activity; sid:4105441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname lead.jhinfotech.co"; flow:to_server,established; http.header; content: "Host|3a| lead.jhinfotech.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])lead\.jhinfotech\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105442; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname lenartsa.webd.pro"; dns.query; content:"lenartsa.webd.pro"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])lenartsa\.webd\.pro$/i"; classtype:trojan-activity; sid:4105451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname lenartsa.webd.pro"; flow:to_server,established; http.header; content: "Host|3a| lenartsa.webd.pro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])lenartsa\.webd\.pro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105452; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain lfzombiegames.com"; dns.query; content:"lfzombiegames.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])lfzombiegames\.com$/i"; classtype:trojan-activity; sid:4105461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain lfzombiegames.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lfzombiegames.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lfzombiegames\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105462; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain lidergoloperu.com"; dns.query; content:"lidergoloperu.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])lidergoloperu\.com$/i"; classtype:trojan-activity; sid:4105471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain lidergoloperu.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lidergoloperu.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lidergoloperu\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105472; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain list-ltd.com"; dns.query; content:"list-ltd.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])list\-ltd\.com$/i"; classtype:trojan-activity; sid:4105481; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain list-ltd.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"list-ltd.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])list\-ltd\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105482; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain logisticspartnertz.com"; dns.query; content:"logisticspartnertz.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])logisticspartnertz\.com$/i"; classtype:trojan-activity; sid:4105491; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain logisticspartnertz.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"logisticspartnertz.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])logisticspartnertz\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105492; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain logmein-basic.xyz"; dns.query; content:"logmein-basic.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])logmein\-basic\.xyz$/i"; classtype:trojan-activity; sid:4105501; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain logmein-basic.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"logmein-basic.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])logmein\-basic\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105502; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain logotale.com"; dns.query; content:"logotale.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])logotale\.com$/i"; classtype:trojan-activity; sid:4105511; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain logotale.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"logotale.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])logotale\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105512; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain lotolands.com"; dns.query; content:"lotolands.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])lotolands\.com$/i"; classtype:trojan-activity; sid:4105521; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain lotolands.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lotolands.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lotolands\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105522; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain lotterysambadear.in"; dns.query; content:"lotterysambadear.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])lotterysambadear\.in$/i"; classtype:trojan-activity; sid:4105531; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain lotterysambadear.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lotterysambadear.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lotterysambadear\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105532; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain luisperezgutierrez.com"; dns.query; content:"luisperezgutierrez.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])luisperezgutierrez\.com$/i"; classtype:trojan-activity; sid:4105541; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain luisperezgutierrez.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"luisperezgutierrez.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])luisperezgutierrez\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105542; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname m.stattimes.com"; dns.query; content:"m.stattimes.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])m\.stattimes\.com$/i"; classtype:trojan-activity; sid:4105551; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname m.stattimes.com"; flow:to_server,established; http.header; content: "Host|3a| m.stattimes.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])m\.stattimes\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105552; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain maasaieye.com"; dns.query; content:"maasaieye.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])maasaieye\.com$/i"; classtype:trojan-activity; sid:4105561; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain maasaieye.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"maasaieye.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])maasaieye\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105562; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain maliksauto.com"; dns.query; content:"maliksauto.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])maliksauto\.com$/i"; classtype:trojan-activity; sid:4105571; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain maliksauto.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"maliksauto.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])maliksauto\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105572; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain manuelarzola.cl"; dns.query; content:"manuelarzola.cl"; nocase; pcre: "/(^|[^A-Za-z0-9-])manuelarzola\.cl$/i"; classtype:trojan-activity; sid:4105581; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain manuelarzola.cl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"manuelarzola.cl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])manuelarzola\.cl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105582; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain marketingpolitico.io"; dns.query; content:"marketingpolitico.io"; nocase; pcre: "/(^|[^A-Za-z0-9-])marketingpolitico\.io$/i"; classtype:trojan-activity; sid:4105591; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain marketingpolitico.io"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"marketingpolitico.io"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])marketingpolitico\.io[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105592; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain masajbrasov.ro"; dns.query; content:"masajbrasov.ro"; nocase; pcre: "/(^|[^A-Za-z0-9-])masajbrasov\.ro$/i"; classtype:trojan-activity; sid:4105601; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain masajbrasov.ro"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"masajbrasov.ro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])masajbrasov\.ro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105602; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname materialdidatico.sigetweb.com.br"; dns.query; content:"materialdidatico.sigetweb.com.br"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])materialdidatico\.sigetweb\.com\.br$/i"; classtype:trojan-activity; sid:4105611; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname materialdidatico.sigetweb.com.br"; flow:to_server,established; http.header; content: "Host|3a| materialdidatico.sigetweb.com.br"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])materialdidatico\.sigetweb\.com\.br[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105612; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain maxacrepairservice.com"; dns.query; content:"maxacrepairservice.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])maxacrepairservice\.com$/i"; classtype:trojan-activity; sid:4105621; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain maxacrepairservice.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"maxacrepairservice.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])maxacrepairservice\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105622; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain maxdigitizing.com"; dns.query; content:"maxdigitizing.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])maxdigitizing\.com$/i"; classtype:trojan-activity; sid:4105631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain maxdigitizing.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"maxdigitizing.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])maxdigitizing\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105632; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain meatworld-pk.com"; dns.query; content:"meatworld-pk.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])meatworld\-pk\.com$/i"; classtype:trojan-activity; sid:4105641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain meatworld-pk.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"meatworld-pk.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])meatworld\-pk\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105642; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain mediaworld.ro"; dns.query; content:"mediaworld.ro"; nocase; pcre: "/(^|[^A-Za-z0-9-])mediaworld\.ro$/i"; classtype:trojan-activity; sid:4105651; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain mediaworld.ro"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mediaworld.ro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mediaworld\.ro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105652; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain medspa.it"; dns.query; content:"medspa.it"; nocase; pcre: "/(^|[^A-Za-z0-9-])medspa\.it$/i"; classtype:trojan-activity; sid:4105661; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain medspa.it"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"medspa.it"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])medspa\.it[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105662; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain meetinsrilanka.com"; dns.query; content:"meetinsrilanka.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])meetinsrilanka\.com$/i"; classtype:trojan-activity; sid:4105671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain meetinsrilanka.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"meetinsrilanka.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])meetinsrilanka\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105672; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain megasoftsol.com"; dns.query; content:"megasoftsol.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])megasoftsol\.com$/i"; classtype:trojan-activity; sid:4105681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain megasoftsol.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"megasoftsol.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])megasoftsol\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105682; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain mehbooboptical.com"; dns.query; content:"mehbooboptical.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mehbooboptical\.com$/i"; classtype:trojan-activity; sid:4105691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain mehbooboptical.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mehbooboptical.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mehbooboptical\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105692; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain menopausechanges.com"; dns.query; content:"menopausechanges.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])menopausechanges\.com$/i"; classtype:trojan-activity; sid:4105701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain menopausechanges.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"menopausechanges.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])menopausechanges\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105702; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain menrocks.com"; dns.query; content:"menrocks.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])menrocks\.com$/i"; classtype:trojan-activity; sid:4105711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain menrocks.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"menrocks.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])menrocks\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105712; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain mercyfoundationcio.org"; dns.query; content:"mercyfoundationcio.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])mercyfoundationcio\.org$/i"; classtype:trojan-activity; sid:4105721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain mercyfoundationcio.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mercyfoundationcio.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mercyfoundationcio\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105722; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain meropos.com"; dns.query; content:"meropos.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])meropos\.com$/i"; classtype:trojan-activity; sid:4105731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain meropos.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"meropos.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])meropos\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105732; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain metalerp.com"; dns.query; content:"metalerp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])metalerp\.com$/i"; classtype:trojan-activity; sid:4105741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain metalerp.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"metalerp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])metalerp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105742; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain mipymetv.com"; dns.query; content:"mipymetv.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mipymetv\.com$/i"; classtype:trojan-activity; sid:4105751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain mipymetv.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mipymetv.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mipymetv\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105752; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain mixmarketing.vn"; dns.query; content:"mixmarketing.vn"; nocase; pcre: "/(^|[^A-Za-z0-9-])mixmarketing\.vn$/i"; classtype:trojan-activity; sid:4105761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain mixmarketing.vn"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mixmarketing.vn"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mixmarketing\.vn[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105762; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain mjvaping.mx"; dns.query; content:"mjvaping.mx"; nocase; pcre: "/(^|[^A-Za-z0-9-])mjvaping\.mx$/i"; classtype:trojan-activity; sid:4105771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain mjvaping.mx"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mjvaping.mx"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mjvaping\.mx[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105772; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain mm-model.hr"; dns.query; content:"mm-model.hr"; nocase; pcre: "/(^|[^A-Za-z0-9-])mm\-model\.hr$/i"; classtype:trojan-activity; sid:4105781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain mm-model.hr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mm-model.hr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mm\-model\.hr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105782; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain modernization8.site"; dns.query; content:"modernization8.site"; nocase; pcre: "/(^|[^A-Za-z0-9-])modernization8\.site$/i"; classtype:trojan-activity; sid:4105791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain modernization8.site"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"modernization8.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])modernization8\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105792; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain moeinjelveh.ir"; dns.query; content:"moeinjelveh.ir"; nocase; pcre: "/(^|[^A-Za-z0-9-])moeinjelveh\.ir$/i"; classtype:trojan-activity; sid:4105801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain moeinjelveh.ir"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"moeinjelveh.ir"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])moeinjelveh\.ir[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105802; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain moirazuazo.com"; dns.query; content:"moirazuazo.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])moirazuazo\.com$/i"; classtype:trojan-activity; sid:4105811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain moirazuazo.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"moirazuazo.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])moirazuazo\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105812; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain mongolianteam.org"; dns.query; content:"mongolianteam.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])mongolianteam\.org$/i"; classtype:trojan-activity; sid:4105821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain mongolianteam.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mongolianteam.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mongolianteam\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105822; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname moodle.sigetweb.com.br"; dns.query; content:"moodle.sigetweb.com.br"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])moodle\.sigetweb\.com\.br$/i"; classtype:trojan-activity; sid:4105831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname moodle.sigetweb.com.br"; flow:to_server,established; http.header; content: "Host|3a| moodle.sigetweb.com.br"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])moodle\.sigetweb\.com\.br[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105832; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain msetoengineering.com"; dns.query; content:"msetoengineering.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])msetoengineering\.com$/i"; classtype:trojan-activity; sid:4105841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain msetoengineering.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"msetoengineering.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])msetoengineering\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105842; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain mskneurology.no"; dns.query; content:"mskneurology.no"; nocase; pcre: "/(^|[^A-Za-z0-9-])mskneurology\.no$/i"; classtype:trojan-activity; sid:4105851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain mskneurology.no"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mskneurology.no"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mskneurology\.no[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105852; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain msrsac.com"; dns.query; content:"msrsac.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])msrsac\.com$/i"; classtype:trojan-activity; sid:4105861; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain msrsac.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"msrsac.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])msrsac\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105862; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain mueblesycocinascarraro.com"; dns.query; content:"mueblesycocinascarraro.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mueblesycocinascarraro\.com$/i"; classtype:trojan-activity; sid:4105871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain mueblesycocinascarraro.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mueblesycocinascarraro.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mueblesycocinascarraro\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105872; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain mugentomi.com"; dns.query; content:"mugentomi.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mugentomi\.com$/i"; classtype:trojan-activity; sid:4105881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain mugentomi.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mugentomi.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mugentomi\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105882; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain multasuy.com"; dns.query; content:"multasuy.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])multasuy\.com$/i"; classtype:trojan-activity; sid:4105891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain multasuy.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"multasuy.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])multasuy\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105892; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain multiplymyincome.com"; dns.query; content:"multiplymyincome.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])multiplymyincome\.com$/i"; classtype:trojan-activity; sid:4105901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain multiplymyincome.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"multiplymyincome.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])multiplymyincome\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105902; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain musicvalley.in"; dns.query; content:"musicvalley.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])musicvalley\.in$/i"; classtype:trojan-activity; sid:4105911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain musicvalley.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"musicvalley.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])musicvalley\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105912; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain naelectric.com"; dns.query; content:"naelectric.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])naelectric\.com$/i"; classtype:trojan-activity; sid:4105921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain naelectric.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"naelectric.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])naelectric\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105922; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain najmatqubah.com"; dns.query; content:"najmatqubah.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])najmatqubah\.com$/i"; classtype:trojan-activity; sid:4105931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain najmatqubah.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"najmatqubah.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])najmatqubah\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105932; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain nandhijothidam.com"; dns.query; content:"nandhijothidam.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])nandhijothidam\.com$/i"; classtype:trojan-activity; sid:4105941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain nandhijothidam.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nandhijothidam.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nandhijothidam\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105942; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain narenjvtoranj.ir"; dns.query; content:"narenjvtoranj.ir"; nocase; pcre: "/(^|[^A-Za-z0-9-])narenjvtoranj\.ir$/i"; classtype:trojan-activity; sid:4105951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain narenjvtoranj.ir"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"narenjvtoranj.ir"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])narenjvtoranj\.ir[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105952; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain nascentgroupbd.com"; dns.query; content:"nascentgroupbd.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])nascentgroupbd\.com$/i"; classtype:trojan-activity; sid:4105961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain nascentgroupbd.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nascentgroupbd.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nascentgroupbd\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105962; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain nelberklanguages.com"; dns.query; content:"nelberklanguages.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])nelberklanguages\.com$/i"; classtype:trojan-activity; sid:4105971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain nelberklanguages.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nelberklanguages.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nelberklanguages\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105972; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain neonluzz.com"; dns.query; content:"neonluzz.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])neonluzz\.com$/i"; classtype:trojan-activity; sid:4105981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain neonluzz.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"neonluzz.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])neonluzz\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105982; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain network-jordan.com"; dns.query; content:"network-jordan.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])network\-jordan\.com$/i"; classtype:trojan-activity; sid:4105991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain network-jordan.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"network-jordan.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])network\-jordan\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4105992; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain neurodatapro.com"; dns.query; content:"neurodatapro.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])neurodatapro\.com$/i"; classtype:trojan-activity; sid:4106001; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain neurodatapro.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"neurodatapro.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])neurodatapro\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106002; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname new.actsgeneration.org"; dns.query; content:"new.actsgeneration.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])new\.actsgeneration\.org$/i"; classtype:trojan-activity; sid:4106011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname new.actsgeneration.org"; flow:to_server,established; http.header; content: "Host|3a| new.actsgeneration.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])new\.actsgeneration\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106012; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain nievatrading.com"; dns.query; content:"nievatrading.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])nievatrading\.com$/i"; classtype:trojan-activity; sid:4106021; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain nievatrading.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nievatrading.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nievatrading\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106022; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain nisadelgado.com"; dns.query; content:"nisadelgado.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])nisadelgado\.com$/i"; classtype:trojan-activity; sid:4106031; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain nisadelgado.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nisadelgado.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nisadelgado\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106032; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname novamarketing.com.pk"; dns.query; content:"novamarketing.com.pk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])novamarketing\.com\.pk$/i"; classtype:trojan-activity; sid:4106041; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname novamarketing.com.pk"; flow:to_server,established; http.header; content: "Host|3a| novamarketing.com.pk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])novamarketing\.com\.pk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106042; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain octopusmarine.in"; dns.query; content:"octopusmarine.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])octopusmarine\.in$/i"; classtype:trojan-activity; sid:4106051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain octopusmarine.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"octopusmarine.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])octopusmarine\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106052; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain ogajo.com"; dns.query; content:"ogajo.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ogajo\.com$/i"; classtype:trojan-activity; sid:4106061; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain ogajo.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ogajo.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ogajo\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106062; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain oldmaestro.com"; dns.query; content:"oldmaestro.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])oldmaestro\.com$/i"; classtype:trojan-activity; sid:4106071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain oldmaestro.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"oldmaestro.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])oldmaestro\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106072; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain olimpia-imob.ro"; dns.query; content:"olimpia-imob.ro"; nocase; pcre: "/(^|[^A-Za-z0-9-])olimpia\-imob\.ro$/i"; classtype:trojan-activity; sid:4106081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain olimpia-imob.ro"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"olimpia-imob.ro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])olimpia\-imob\.ro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106082; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain one8one.lk"; dns.query; content:"one8one.lk"; nocase; pcre: "/(^|[^A-Za-z0-9-])one8one\.lk$/i"; classtype:trojan-activity; sid:4106091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain one8one.lk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"one8one.lk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])one8one\.lk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106092; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain orquideavallenata.com"; dns.query; content:"orquideavallenata.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])orquideavallenata\.com$/i"; classtype:trojan-activity; sid:4106101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain orquideavallenata.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"orquideavallenata.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])orquideavallenata\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106102; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain ottawaprocessservers.ca"; dns.query; content:"ottawaprocessservers.ca"; nocase; pcre: "/(^|[^A-Za-z0-9-])ottawaprocessservers\.ca$/i"; classtype:trojan-activity; sid:4106111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain ottawaprocessservers.ca"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ottawaprocessservers.ca"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ottawaprocessservers\.ca[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106112; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain outdoorroar.com"; dns.query; content:"outdoorroar.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])outdoorroar\.com$/i"; classtype:trojan-activity; sid:4106121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain outdoorroar.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"outdoorroar.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])outdoorroar\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106122; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain ovni.chat"; dns.query; content:"ovni.chat"; nocase; pcre: "/(^|[^A-Za-z0-9-])ovni\.chat$/i"; classtype:trojan-activity; sid:4106131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain ovni.chat"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ovni.chat"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ovni\.chat[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106132; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain owfix.net"; dns.query; content:"owfix.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])owfix\.net$/i"; classtype:trojan-activity; sid:4106141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain owfix.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"owfix.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])owfix\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106142; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain palloe.com"; dns.query; content:"palloe.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])palloe\.com$/i"; classtype:trojan-activity; sid:4106151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain palloe.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"palloe.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])palloe\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106152; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain panduzone.com"; dns.query; content:"panduzone.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])panduzone\.com$/i"; classtype:trojan-activity; sid:4106161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain panduzone.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"panduzone.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])panduzone\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106162; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname panel.betfredtakeaway.com"; dns.query; content:"panel.betfredtakeaway.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])panel\.betfredtakeaway\.com$/i"; classtype:trojan-activity; sid:4106171; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname panel.betfredtakeaway.com"; flow:to_server,established; http.header; content: "Host|3a| panel.betfredtakeaway.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])panel\.betfredtakeaway\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106172; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname panel.gandcrewards.com"; dns.query; content:"panel.gandcrewards.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])panel\.gandcrewards\.com$/i"; classtype:trojan-activity; sid:4106181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname panel.gandcrewards.com"; flow:to_server,established; http.header; content: "Host|3a| panel.gandcrewards.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])panel\.gandcrewards\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106182; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname panel.top-gaming.ro"; dns.query; content:"panel.top-gaming.ro"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])panel\.top\-gaming\.ro$/i"; classtype:trojan-activity; sid:4106191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname panel.top-gaming.ro"; flow:to_server,established; http.header; content: "Host|3a| panel.top-gaming.ro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])panel\.top\-gaming\.ro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106192; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain panoramatravel.com"; dns.query; content:"panoramatravel.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])panoramatravel\.com$/i"; classtype:trojan-activity; sid:4106201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain panoramatravel.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"panoramatravel.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])panoramatravel\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106202; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain passionatepamperingllc.com"; dns.query; content:"passionatepamperingllc.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])passionatepamperingllc\.com$/i"; classtype:trojan-activity; sid:4106211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain passionatepamperingllc.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"passionatepamperingllc.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])passionatepamperingllc\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106212; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain patiperrosadventure.cl"; dns.query; content:"patiperrosadventure.cl"; nocase; pcre: "/(^|[^A-Za-z0-9-])patiperrosadventure\.cl$/i"; classtype:trojan-activity; sid:4106221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain patiperrosadventure.cl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"patiperrosadventure.cl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])patiperrosadventure\.cl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106222; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain paype.live"; dns.query; content:"paype.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])paype\.live$/i"; classtype:trojan-activity; sid:4106231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain paype.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"paype.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])paype\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106232; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname pcbsi.com.ph"; dns.query; content:"pcbsi.com.ph"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])pcbsi\.com\.ph$/i"; classtype:trojan-activity; sid:4106241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname pcbsi.com.ph"; flow:to_server,established; http.header; content: "Host|3a| pcbsi.com.ph"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])pcbsi\.com\.ph[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106242; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain pccentercancun.com"; dns.query; content:"pccentercancun.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pccentercancun\.com$/i"; classtype:trojan-activity; sid:4106251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain pccentercancun.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pccentercancun.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pccentercancun\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106252; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain pdcej.sn"; dns.query; content:"pdcej.sn"; nocase; pcre: "/(^|[^A-Za-z0-9-])pdcej\.sn$/i"; classtype:trojan-activity; sid:4106261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain pdcej.sn"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pdcej.sn"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pdcej\.sn[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106262; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain pdmgtc.org"; dns.query; content:"pdmgtc.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])pdmgtc\.org$/i"; classtype:trojan-activity; sid:4106271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain pdmgtc.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pdmgtc.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pdmgtc\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106272; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain pearpearsadventures.com"; dns.query; content:"pearpearsadventures.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pearpearsadventures\.com$/i"; classtype:trojan-activity; sid:4106281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain pearpearsadventures.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pearpearsadventures.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pearpearsadventures\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106282; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain pelicansack.com"; dns.query; content:"pelicansack.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pelicansack\.com$/i"; classtype:trojan-activity; sid:4106291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain pelicansack.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pelicansack.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pelicansack\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106292; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain pensiunealac.ro"; dns.query; content:"pensiunealac.ro"; nocase; pcre: "/(^|[^A-Za-z0-9-])pensiunealac\.ro$/i"; classtype:trojan-activity; sid:4106301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain pensiunealac.ro"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pensiunealac.ro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pensiunealac\.ro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106302; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain perfectdemos.com"; dns.query; content:"perfectdemos.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])perfectdemos\.com$/i"; classtype:trojan-activity; sid:4106311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain perfectdemos.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"perfectdemos.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])perfectdemos\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106312; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain petexpopakistan.com"; dns.query; content:"petexpopakistan.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])petexpopakistan\.com$/i"; classtype:trojan-activity; sid:4106321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain petexpopakistan.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"petexpopakistan.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])petexpopakistan\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106322; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain petfoodpakistan.com"; dns.query; content:"petfoodpakistan.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])petfoodpakistan\.com$/i"; classtype:trojan-activity; sid:4106331; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain petfoodpakistan.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"petfoodpakistan.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])petfoodpakistan\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106332; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain picta.ps"; dns.query; content:"picta.ps"; nocase; pcre: "/(^|[^A-Za-z0-9-])picta\.ps$/i"; classtype:trojan-activity; sid:4106341; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain picta.ps"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"picta.ps"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])picta\.ps[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106342; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain piladorademaiz.com"; dns.query; content:"piladorademaiz.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])piladorademaiz\.com$/i"; classtype:trojan-activity; sid:4106351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain piladorademaiz.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"piladorademaiz.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])piladorademaiz\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106352; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname pin.anthony-jay.com"; dns.query; content:"pin.anthony-jay.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])pin\.anthony\-jay\.com$/i"; classtype:trojan-activity; sid:4106361; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname pin.anthony-jay.com"; flow:to_server,established; http.header; content: "Host|3a| pin.anthony-jay.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])pin\.anthony\-jay\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106362; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname planostart.mbvirtual.com.br"; dns.query; content:"planostart.mbvirtual.com.br"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])planostart\.mbvirtual\.com\.br$/i"; classtype:trojan-activity; sid:4106371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname planostart.mbvirtual.com.br"; flow:to_server,established; http.header; content: "Host|3a| planostart.mbvirtual.com.br"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])planostart\.mbvirtual\.com\.br[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106372; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain platinumsubzerorepair.com"; dns.query; content:"platinumsubzerorepair.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])platinumsubzerorepair\.com$/i"; classtype:trojan-activity; sid:4106381; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain platinumsubzerorepair.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"platinumsubzerorepair.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])platinumsubzerorepair\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106382; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain playersliberia.com"; dns.query; content:"playersliberia.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])playersliberia\.com$/i"; classtype:trojan-activity; sid:4106391; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain playersliberia.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"playersliberia.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])playersliberia\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106392; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain policlinicocasilino.it"; dns.query; content:"policlinicocasilino.it"; nocase; pcre: "/(^|[^A-Za-z0-9-])policlinicocasilino\.it$/i"; classtype:trojan-activity; sid:4106401; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain policlinicocasilino.it"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"policlinicocasilino.it"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])policlinicocasilino\.it[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106402; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname pontododiesel.com.br"; dns.query; content:"pontododiesel.com.br"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])pontododiesel\.com\.br$/i"; classtype:trojan-activity; sid:4106411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname pontododiesel.com.br"; flow:to_server,established; http.header; content: "Host|3a| pontododiesel.com.br"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])pontododiesel\.com\.br[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106412; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain power1035.com"; dns.query; content:"power1035.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])power1035\.com$/i"; classtype:trojan-activity; sid:4106421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain power1035.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"power1035.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])power1035\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106422; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain ppbcinc.com"; dns.query; content:"ppbcinc.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ppbcinc\.com$/i"; classtype:trojan-activity; sid:4106431; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain ppbcinc.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ppbcinc.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ppbcinc\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106432; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain prayerhouse.in"; dns.query; content:"prayerhouse.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])prayerhouse\.in$/i"; classtype:trojan-activity; sid:4106441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain prayerhouse.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"prayerhouse.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])prayerhouse\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106442; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain preparekrok.com"; dns.query; content:"preparekrok.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])preparekrok\.com$/i"; classtype:trojan-activity; sid:4106451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain preparekrok.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"preparekrok.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])preparekrok\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106452; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain prevenzioneformazionelavoro.it"; dns.query; content:"prevenzioneformazionelavoro.it"; nocase; pcre: "/(^|[^A-Za-z0-9-])prevenzioneformazionelavoro\.it$/i"; classtype:trojan-activity; sid:4106461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain prevenzioneformazionelavoro.it"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"prevenzioneformazionelavoro.it"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])prevenzioneformazionelavoro\.it[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106462; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain printonline.ae"; dns.query; content:"printonline.ae"; nocase; pcre: "/(^|[^A-Za-z0-9-])printonline\.ae$/i"; classtype:trojan-activity; sid:4106471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain printonline.ae"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"printonline.ae"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])printonline\.ae[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106472; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain priyacareers.com"; dns.query; content:"priyacareers.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])priyacareers\.com$/i"; classtype:trojan-activity; sid:4106481; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain priyacareers.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"priyacareers.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])priyacareers\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106482; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain pro-tenis-club.ro"; dns.query; content:"pro-tenis-club.ro"; nocase; pcre: "/(^|[^A-Za-z0-9-])pro\-tenis\-club\.ro$/i"; classtype:trojan-activity; sid:4106491; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain pro-tenis-club.ro"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pro-tenis-club.ro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pro\-tenis\-club\.ro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106492; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain procatodicadelacosta.com"; dns.query; content:"procatodicadelacosta.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])procatodicadelacosta\.com$/i"; classtype:trojan-activity; sid:4106501; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain procatodicadelacosta.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"procatodicadelacosta.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])procatodicadelacosta\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106502; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname producoesdahora.inclusaodahora.com.br"; dns.query; content:"producoesdahora.inclusaodahora.com.br"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])producoesdahora\.inclusaodahora\.com\.br$/i"; classtype:trojan-activity; sid:4106511; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname producoesdahora.inclusaodahora.com.br"; flow:to_server,established; http.header; content: "Host|3a| producoesdahora.inclusaodahora.com.br"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])producoesdahora\.inclusaodahora\.com\.br[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106512; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain proread.uz"; dns.query; content:"proread.uz"; nocase; pcre: "/(^|[^A-Za-z0-9-])proread\.uz$/i"; classtype:trojan-activity; sid:4106521; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain proread.uz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"proread.uz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])proread\.uz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106522; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain provak.hr"; dns.query; content:"provak.hr"; nocase; pcre: "/(^|[^A-Za-z0-9-])provak\.hr$/i"; classtype:trojan-activity; sid:4106531; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain provak.hr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"provak.hr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])provak\.hr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106532; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain pttransmarco.com"; dns.query; content:"pttransmarco.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pttransmarco\.com$/i"; classtype:trojan-activity; sid:4106541; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain pttransmarco.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pttransmarco.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pttransmarco\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106542; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain pvtfans.com"; dns.query; content:"pvtfans.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pvtfans\.com$/i"; classtype:trojan-activity; sid:4106551; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain pvtfans.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pvtfans.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pvtfans\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106552; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain pwcgov-x.ml"; dns.query; content:"pwcgov-x.ml"; nocase; pcre: "/(^|[^A-Za-z0-9-])pwcgov\-x\.ml$/i"; classtype:trojan-activity; sid:4106561; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain pwcgov-x.ml"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pwcgov-x.ml"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pwcgov\-x\.ml[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106562; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain qrabin.com"; dns.query; content:"qrabin.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])qrabin\.com$/i"; classtype:trojan-activity; sid:4106571; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain qrabin.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"qrabin.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])qrabin\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106572; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain raahdari.com"; dns.query; content:"raahdari.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])raahdari\.com$/i"; classtype:trojan-activity; sid:4106581; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain raahdari.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"raahdari.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])raahdari\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106582; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain razisystem.ir"; dns.query; content:"razisystem.ir"; nocase; pcre: "/(^|[^A-Za-z0-9-])razisystem\.ir$/i"; classtype:trojan-activity; sid:4106591; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain razisystem.ir"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"razisystem.ir"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])razisystem\.ir[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106592; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain readgasm.com"; dns.query; content:"readgasm.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])readgasm\.com$/i"; classtype:trojan-activity; sid:4106601; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain readgasm.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"readgasm.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])readgasm\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106602; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain recallelliehouseholder.com"; dns.query; content:"recallelliehouseholder.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])recallelliehouseholder\.com$/i"; classtype:trojan-activity; sid:4106611; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain recallelliehouseholder.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"recallelliehouseholder.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])recallelliehouseholder\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106612; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain redlogistics.co"; dns.query; content:"redlogistics.co"; nocase; pcre: "/(^|[^A-Za-z0-9-])redlogistics\.co$/i"; classtype:trojan-activity; sid:4106621; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain redlogistics.co"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"redlogistics.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])redlogistics\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106622; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain rentseapines.com"; dns.query; content:"rentseapines.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])rentseapines\.com$/i"; classtype:trojan-activity; sid:4106631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain rentseapines.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"rentseapines.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])rentseapines\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106632; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain ricardopiresfotografia.com"; dns.query; content:"ricardopiresfotografia.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ricardopiresfotografia\.com$/i"; classtype:trojan-activity; sid:4106641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain ricardopiresfotografia.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ricardopiresfotografia.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ricardopiresfotografia\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106642; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname rinconadadellago.com.mx"; dns.query; content:"rinconadadellago.com.mx"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])rinconadadellago\.com\.mx$/i"; classtype:trojan-activity; sid:4106651; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname rinconadadellago.com.mx"; flow:to_server,established; http.header; content: "Host|3a| rinconadadellago.com.mx"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])rinconadadellago\.com\.mx[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106652; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain rinka.ro"; dns.query; content:"rinka.ro"; nocase; pcre: "/(^|[^A-Za-z0-9-])rinka\.ro$/i"; classtype:trojan-activity; sid:4106661; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain rinka.ro"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"rinka.ro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])rinka\.ro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106662; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain ripexminted.com"; dns.query; content:"ripexminted.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ripexminted\.com$/i"; classtype:trojan-activity; sid:4106671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain ripexminted.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ripexminted.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ripexminted\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106672; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain rksworld.org"; dns.query; content:"rksworld.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])rksworld\.org$/i"; classtype:trojan-activity; sid:4106681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain rksworld.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"rksworld.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])rksworld\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106682; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain roofingarkansas.info"; dns.query; content:"roofingarkansas.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])roofingarkansas\.info$/i"; classtype:trojan-activity; sid:4106691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain roofingarkansas.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"roofingarkansas.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])roofingarkansas\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106692; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain roofingcontractormemphis.com"; dns.query; content:"roofingcontractormemphis.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])roofingcontractormemphis\.com$/i"; classtype:trojan-activity; sid:4106701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain roofingcontractormemphis.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"roofingcontractormemphis.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])roofingcontractormemphis\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106702; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain roofinglittleroc.com"; dns.query; content:"roofinglittleroc.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])roofinglittleroc\.com$/i"; classtype:trojan-activity; sid:4106711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain roofinglittleroc.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"roofinglittleroc.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])roofinglittleroc\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106712; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain roofinglittlerock.info"; dns.query; content:"roofinglittlerock.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])roofinglittlerock\.info$/i"; classtype:trojan-activity; sid:4106721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain roofinglittlerock.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"roofinglittlerock.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])roofinglittlerock\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106722; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain roofingmemphis.tv"; dns.query; content:"roofingmemphis.tv"; nocase; pcre: "/(^|[^A-Za-z0-9-])roofingmemphis\.tv$/i"; classtype:trojan-activity; sid:4106731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain roofingmemphis.tv"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"roofingmemphis.tv"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])roofingmemphis\.tv[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106732; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain roofingtennessee.info"; dns.query; content:"roofingtennessee.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])roofingtennessee\.info$/i"; classtype:trojan-activity; sid:4106741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain roofingtennessee.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"roofingtennessee.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])roofingtennessee\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106742; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain route-2021.xyz"; dns.query; content:"route-2021.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])route\-2021\.xyz$/i"; classtype:trojan-activity; sid:4106751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain route-2021.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"route-2021.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])route\-2021\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106752; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain royalcitymarbles.com"; dns.query; content:"royalcitymarbles.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])royalcitymarbles\.com$/i"; classtype:trojan-activity; sid:4106761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain royalcitymarbles.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"royalcitymarbles.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])royalcitymarbles\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106762; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain runflow.cl"; dns.query; content:"runflow.cl"; nocase; pcre: "/(^|[^A-Za-z0-9-])runflow\.cl$/i"; classtype:trojan-activity; sid:4106771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain runflow.cl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"runflow.cl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])runflow\.cl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106772; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain russianrealestatecalgary.com"; dns.query; content:"russianrealestatecalgary.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])russianrealestatecalgary\.com$/i"; classtype:trojan-activity; sid:4106781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain russianrealestatecalgary.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"russianrealestatecalgary.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])russianrealestatecalgary\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106782; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain s-rail.in"; dns.query; content:"s-rail.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])s\-rail\.in$/i"; classtype:trojan-activity; sid:4106791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain s-rail.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"s-rail.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])s\-rail\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106792; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain saleebyproctology.com"; dns.query; content:"saleebyproctology.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])saleebyproctology\.com$/i"; classtype:trojan-activity; sid:4106801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain saleebyproctology.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"saleebyproctology.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])saleebyproctology\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106802; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain salesjamesja.com"; dns.query; content:"salesjamesja.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])salesjamesja\.com$/i"; classtype:trojan-activity; sid:4106811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain salesjamesja.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"salesjamesja.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])salesjamesja\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106812; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain salestrainingaudios.com"; dns.query; content:"salestrainingaudios.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])salestrainingaudios\.com$/i"; classtype:trojan-activity; sid:4106821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain salestrainingaudios.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"salestrainingaudios.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])salestrainingaudios\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106822; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain sanakharid.ir"; dns.query; content:"sanakharid.ir"; nocase; pcre: "/(^|[^A-Za-z0-9-])sanakharid\.ir$/i"; classtype:trojan-activity; sid:4106831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain sanakharid.ir"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sanakharid.ir"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sanakharid\.ir[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106832; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain sanbari.mx"; dns.query; content:"sanbari.mx"; nocase; pcre: "/(^|[^A-Za-z0-9-])sanbari\.mx$/i"; classtype:trojan-activity; sid:4106841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain sanbari.mx"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sanbari.mx"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sanbari\.mx[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106842; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain sanjolisarees.com"; dns.query; content:"sanjolisarees.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sanjolisarees\.com$/i"; classtype:trojan-activity; sid:4106851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain sanjolisarees.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sanjolisarees.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sanjolisarees\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106852; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain saraviatowing.net"; dns.query; content:"saraviatowing.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])saraviatowing\.net$/i"; classtype:trojan-activity; sid:4106861; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain saraviatowing.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"saraviatowing.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])saraviatowing\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106862; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain sarcadrug.com"; dns.query; content:"sarcadrug.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sarcadrug\.com$/i"; classtype:trojan-activity; sid:4106871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain sarcadrug.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sarcadrug.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sarcadrug\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106872; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain sattaking-fast.in"; dns.query; content:"sattaking-fast.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])sattaking\-fast\.in$/i"; classtype:trojan-activity; sid:4106881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain sattaking-fast.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sattaking-fast.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sattaking\-fast\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106882; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain sattaking-satta.in"; dns.query; content:"sattaking-satta.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])sattaking\-satta\.in$/i"; classtype:trojan-activity; sid:4106891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain sattaking-satta.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sattaking-satta.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sattaking\-satta\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106892; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain sattakingmd.in"; dns.query; content:"sattakingmd.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])sattakingmd\.in$/i"; classtype:trojan-activity; sid:4106901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain sattakingmd.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sattakingmd.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sattakingmd\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106902; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain sattakingsandy.in"; dns.query; content:"sattakingsandy.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])sattakingsandy\.in$/i"; classtype:trojan-activity; sid:4106911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain sattakingsandy.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sattakingsandy.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sattakingsandy\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106912; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain sbrentacar.me"; dns.query; content:"sbrentacar.me"; nocase; pcre: "/(^|[^A-Za-z0-9-])sbrentacar\.me$/i"; classtype:trojan-activity; sid:4106921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain sbrentacar.me"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sbrentacar.me"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sbrentacar\.me[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106922; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain scalat.ro"; dns.query; content:"scalat.ro"; nocase; pcre: "/(^|[^A-Za-z0-9-])scalat\.ro$/i"; classtype:trojan-activity; sid:4106931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain scalat.ro"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"scalat.ro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])scalat\.ro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106932; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain scoala56.com"; dns.query; content:"scoala56.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])scoala56\.com$/i"; classtype:trojan-activity; sid:4106941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain scoala56.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"scoala56.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])scoala56\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106942; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain scovelstowing.com"; dns.query; content:"scovelstowing.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])scovelstowing\.com$/i"; classtype:trojan-activity; sid:4106951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain scovelstowing.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"scovelstowing.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])scovelstowing\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106952; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain secretofsuccess.online"; dns.query; content:"secretofsuccess.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])secretofsuccess\.online$/i"; classtype:trojan-activity; sid:4106961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain secretofsuccess.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"secretofsuccess.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])secretofsuccess\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106962; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain sectordemujeres.org"; dns.query; content:"sectordemujeres.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])sectordemujeres\.org$/i"; classtype:trojan-activity; sid:4106971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain sectordemujeres.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sectordemujeres.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sectordemujeres\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106972; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname securemail.bbocambodia.com"; dns.query; content:"securemail.bbocambodia.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])securemail\.bbocambodia\.com$/i"; classtype:trojan-activity; sid:4106981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname securemail.bbocambodia.com"; flow:to_server,established; http.header; content: "Host|3a| securemail.bbocambodia.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])securemail\.bbocambodia\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106982; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain securityserviceusa.com"; dns.query; content:"securityserviceusa.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])securityserviceusa\.com$/i"; classtype:trojan-activity; sid:4106991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain securityserviceusa.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"securityserviceusa.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])securityserviceusa\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4106992; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain serenidadsfm.com"; dns.query; content:"serenidadsfm.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])serenidadsfm\.com$/i"; classtype:trojan-activity; sid:4107001; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain serenidadsfm.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"serenidadsfm.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])serenidadsfm\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107002; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain serverplanner.com"; dns.query; content:"serverplanner.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])serverplanner\.com$/i"; classtype:trojan-activity; sid:4107011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain serverplanner.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"serverplanner.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])serverplanner\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107012; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname sextoystore.co.in"; dns.query; content:"sextoystore.co.in"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sextoystore\.co\.in$/i"; classtype:trojan-activity; sid:4107021; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname sextoystore.co.in"; flow:to_server,established; http.header; content: "Host|3a| sextoystore.co.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sextoystore\.co\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107022; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain shahanaschool.in"; dns.query; content:"shahanaschool.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])shahanaschool\.in$/i"; classtype:trojan-activity; sid:4107031; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain shahanaschool.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"shahanaschool.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])shahanaschool\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107032; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain shashvatswasthya.in"; dns.query; content:"shashvatswasthya.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])shashvatswasthya\.in$/i"; classtype:trojan-activity; sid:4107041; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain shashvatswasthya.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"shashvatswasthya.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])shashvatswasthya\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107042; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain shivrajengineering.in"; dns.query; content:"shivrajengineering.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])shivrajengineering\.in$/i"; classtype:trojan-activity; sid:4107051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain shivrajengineering.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"shivrajengineering.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])shivrajengineering\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107052; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname shoeclearanceoutlet.co.uk"; dns.query; content:"shoeclearanceoutlet.co.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])shoeclearanceoutlet\.co\.uk$/i"; classtype:trojan-activity; sid:4107061; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname shoeclearanceoutlet.co.uk"; flow:to_server,established; http.header; content: "Host|3a| shoeclearanceoutlet.co.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])shoeclearanceoutlet\.co\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107062; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain shopworld-cargo.com"; dns.query; content:"shopworld-cargo.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])shopworld\-cargo\.com$/i"; classtype:trojan-activity; sid:4107071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain shopworld-cargo.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"shopworld-cargo.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])shopworld\-cargo\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107072; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain shridhargroups.com"; dns.query; content:"shridhargroups.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])shridhargroups\.com$/i"; classtype:trojan-activity; sid:4107081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain shridhargroups.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"shridhargroups.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])shridhargroups\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107082; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain sibertconsulting.com"; dns.query; content:"sibertconsulting.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sibertconsulting\.com$/i"; classtype:trojan-activity; sid:4107091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain sibertconsulting.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sibertconsulting.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sibertconsulting\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107092; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain sicasasesores.com"; dns.query; content:"sicasasesores.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sicasasesores\.com$/i"; classtype:trojan-activity; sid:4107101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain sicasasesores.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sicasasesores.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sicasasesores\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107102; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain sigmageotecnologias.com"; dns.query; content:"sigmageotecnologias.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sigmageotecnologias\.com$/i"; classtype:trojan-activity; sid:4107111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain sigmageotecnologias.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sigmageotecnologias.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sigmageotecnologias\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107112; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain skyparkingaerodrom.rs"; dns.query; content:"skyparkingaerodrom.rs"; nocase; pcre: "/(^|[^A-Za-z0-9-])skyparkingaerodrom\.rs$/i"; classtype:trojan-activity; sid:4107121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain skyparkingaerodrom.rs"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"skyparkingaerodrom.rs"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])skyparkingaerodrom\.rs[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107122; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname smkn1bengkalis.sch.id"; dns.query; content:"smkn1bengkalis.sch.id"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])smkn1bengkalis\.sch\.id$/i"; classtype:trojan-activity; sid:4107131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname smkn1bengkalis.sch.id"; flow:to_server,established; http.header; content: "Host|3a| smkn1bengkalis.sch.id"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])smkn1bengkalis\.sch\.id[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107132; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain solohdnet46.net"; dns.query; content:"solohdnet46.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])solohdnet46\.net$/i"; classtype:trojan-activity; sid:4107141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain solohdnet46.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"solohdnet46.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])solohdnet46\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107142; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain souzaircondicionado.com"; dns.query; content:"souzaircondicionado.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])souzaircondicionado\.com$/i"; classtype:trojan-activity; sid:4107151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain souzaircondicionado.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"souzaircondicionado.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])souzaircondicionado\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107152; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain sparkeventz.com"; dns.query; content:"sparkeventz.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sparkeventz\.com$/i"; classtype:trojan-activity; sid:4107161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain sparkeventz.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sparkeventz.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sparkeventz\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107162; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain spiritofprespa.com"; dns.query; content:"spiritofprespa.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])spiritofprespa\.com$/i"; classtype:trojan-activity; sid:4107171; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain spiritofprespa.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"spiritofprespa.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])spiritofprespa\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107172; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain springfieldhomes.ca"; dns.query; content:"springfieldhomes.ca"; nocase; pcre: "/(^|[^A-Za-z0-9-])springfieldhomes\.ca$/i"; classtype:trojan-activity; sid:4107181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain springfieldhomes.ca"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"springfieldhomes.ca"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])springfieldhomes\.ca[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107182; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain srisaisupermarket.ca"; dns.query; content:"srisaisupermarket.ca"; nocase; pcre: "/(^|[^A-Za-z0-9-])srisaisupermarket\.ca$/i"; classtype:trojan-activity; sid:4107191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain srisaisupermarket.ca"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"srisaisupermarket.ca"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])srisaisupermarket\.ca[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107192; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain sromoch.com"; dns.query; content:"sromoch.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sromoch\.com$/i"; classtype:trojan-activity; sid:4107201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain sromoch.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sromoch.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sromoch\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107202; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname srv7.corpwebcontrol.com"; dns.query; content:"srv7.corpwebcontrol.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])srv7\.corpwebcontrol\.com$/i"; classtype:trojan-activity; sid:4107211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname srv7.corpwebcontrol.com"; flow:to_server,established; http.header; content: "Host|3a| srv7.corpwebcontrol.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])srv7\.corpwebcontrol\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107212; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain stagencyperu.com"; dns.query; content:"stagencyperu.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])stagencyperu\.com$/i"; classtype:trojan-activity; sid:4107221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain stagencyperu.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"stagencyperu.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])stagencyperu\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107222; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain stateart.pk"; dns.query; content:"stateart.pk"; nocase; pcre: "/(^|[^A-Za-z0-9-])stateart\.pk$/i"; classtype:trojan-activity; sid:4107231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain stateart.pk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"stateart.pk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])stateart\.pk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107232; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain stockyhouse.com"; dns.query; content:"stockyhouse.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])stockyhouse\.com$/i"; classtype:trojan-activity; sid:4107241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain stockyhouse.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"stockyhouse.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])stockyhouse\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107242; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname stripemovired.ramfactoryarg.com"; dns.query; content:"stripemovired.ramfactoryarg.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])stripemovired\.ramfactoryarg\.com$/i"; classtype:trojan-activity; sid:4107251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname stripemovired.ramfactoryarg.com"; flow:to_server,established; http.header; content: "Host|3a| stripemovired.ramfactoryarg.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])stripemovired\.ramfactoryarg\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107252; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain successfulkitchen.com"; dns.query; content:"successfulkitchen.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])successfulkitchen\.com$/i"; classtype:trojan-activity; sid:4107261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain successfulkitchen.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"successfulkitchen.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])successfulkitchen\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107262; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain suimuis.com"; dns.query; content:"suimuis.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])suimuis\.com$/i"; classtype:trojan-activity; sid:4107271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain suimuis.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"suimuis.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])suimuis\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107272; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain sukmabali.com"; dns.query; content:"sukmabali.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sukmabali\.com$/i"; classtype:trojan-activity; sid:4107281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain sukmabali.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sukmabali.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sukmabali\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107282; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain sunukoomthies.com"; dns.query; content:"sunukoomthies.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sunukoomthies\.com$/i"; classtype:trojan-activity; sid:4107291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain sunukoomthies.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sunukoomthies.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sunukoomthies\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107292; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain svac.ro"; dns.query; content:"svac.ro"; nocase; pcre: "/(^|[^A-Za-z0-9-])svac\.ro$/i"; classtype:trojan-activity; sid:4107301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain svac.ro"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"svac.ro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])svac\.ro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107302; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain swatpalace.pk"; dns.query; content:"swatpalace.pk"; nocase; pcre: "/(^|[^A-Za-z0-9-])swatpalace\.pk$/i"; classtype:trojan-activity; sid:4107311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain swatpalace.pk"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"swatpalace.pk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])swatpalace\.pk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107312; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain sweetlittle.mx"; dns.query; content:"sweetlittle.mx"; nocase; pcre: "/(^|[^A-Za-z0-9-])sweetlittle\.mx$/i"; classtype:trojan-activity; sid:4107321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain sweetlittle.mx"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sweetlittle.mx"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sweetlittle\.mx[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107322; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain syncun.com"; dns.query; content:"syncun.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])syncun\.com$/i"; classtype:trojan-activity; sid:4107331; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain syncun.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"syncun.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])syncun\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107332; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain tabriz.ng"; dns.query; content:"tabriz.ng"; nocase; pcre: "/(^|[^A-Za-z0-9-])tabriz\.ng$/i"; classtype:trojan-activity; sid:4107341; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain tabriz.ng"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tabriz.ng"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tabriz\.ng[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107342; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain tawasol.business"; dns.query; content:"tawasol.business"; nocase; pcre: "/(^|[^A-Za-z0-9-])tawasol\.business$/i"; classtype:trojan-activity; sid:4107351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain tawasol.business"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tawasol.business"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tawasol\.business[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107352; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain tecglobmec.com"; dns.query; content:"tecglobmec.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])tecglobmec\.com$/i"; classtype:trojan-activity; sid:4107361; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain tecglobmec.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tecglobmec.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tecglobmec\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107362; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain technicalincome.com"; dns.query; content:"technicalincome.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])technicalincome\.com$/i"; classtype:trojan-activity; sid:4107371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain technicalincome.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"technicalincome.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])technicalincome\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107372; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain tecnicosenserviciobogota.com"; dns.query; content:"tecnicosenserviciobogota.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])tecnicosenserviciobogota\.com$/i"; classtype:trojan-activity; sid:4107381; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain tecnicosenserviciobogota.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tecnicosenserviciobogota.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tecnicosenserviciobogota\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107382; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain teque7.com"; dns.query; content:"teque7.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])teque7\.com$/i"; classtype:trojan-activity; sid:4107391; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain teque7.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"teque7.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])teque7\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107392; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname test.dirigu.ro"; dns.query; content:"test.dirigu.ro"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])test\.dirigu\.ro$/i"; classtype:trojan-activity; sid:4107401; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname test.dirigu.ro"; flow:to_server,established; http.header; content: "Host|3a| test.dirigu.ro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])test\.dirigu\.ro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107402; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname testpaginacalzado.grupomasis.com"; dns.query; content:"testpaginacalzado.grupomasis.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])testpaginacalzado\.grupomasis\.com$/i"; classtype:trojan-activity; sid:4107411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname testpaginacalzado.grupomasis.com"; flow:to_server,established; http.header; content: "Host|3a| testpaginacalzado.grupomasis.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])testpaginacalzado\.grupomasis\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107412; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain thebethesdahouse.org"; dns.query; content:"thebethesdahouse.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])thebethesdahouse\.org$/i"; classtype:trojan-activity; sid:4107421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain thebethesdahouse.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"thebethesdahouse.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])thebethesdahouse\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107422; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain theorestaurante.com"; dns.query; content:"theorestaurante.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])theorestaurante\.com$/i"; classtype:trojan-activity; sid:4107431; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain theorestaurante.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"theorestaurante.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])theorestaurante\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107432; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain thepatchworkstore.com"; dns.query; content:"thepatchworkstore.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])thepatchworkstore\.com$/i"; classtype:trojan-activity; sid:4107441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain thepatchworkstore.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"thepatchworkstore.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])thepatchworkstore\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107442; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain theultimate-carcollection.com"; dns.query; content:"theultimate-carcollection.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])theultimate\-carcollection\.com$/i"; classtype:trojan-activity; sid:4107451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain theultimate-carcollection.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"theultimate-carcollection.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])theultimate\-carcollection\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107452; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain thuocnamtot.xyz"; dns.query; content:"thuocnamtot.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])thuocnamtot\.xyz$/i"; classtype:trojan-activity; sid:4107461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain thuocnamtot.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"thuocnamtot.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])thuocnamtot\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107462; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain todoporteros.cl"; dns.query; content:"todoporteros.cl"; nocase; pcre: "/(^|[^A-Za-z0-9-])todoporteros\.cl$/i"; classtype:trojan-activity; sid:4107471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain todoporteros.cl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"todoporteros.cl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])todoporteros\.cl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107472; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain toldosyparasolesbogota.com"; dns.query; content:"toldosyparasolesbogota.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])toldosyparasolesbogota\.com$/i"; classtype:trojan-activity; sid:4107481; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain toldosyparasolesbogota.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"toldosyparasolesbogota.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])toldosyparasolesbogota\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107482; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain totallybaked.ca"; dns.query; content:"totallybaked.ca"; nocase; pcre: "/(^|[^A-Za-z0-9-])totallybaked\.ca$/i"; classtype:trojan-activity; sid:4107491; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain totallybaked.ca"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"totallybaked.ca"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])totallybaked\.ca[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107492; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain tracuuthe.vn"; dns.query; content:"tracuuthe.vn"; nocase; pcre: "/(^|[^A-Za-z0-9-])tracuuthe\.vn$/i"; classtype:trojan-activity; sid:4107501; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain tracuuthe.vn"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tracuuthe.vn"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tracuuthe\.vn[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107502; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain tradingnews.io"; dns.query; content:"tradingnews.io"; nocase; pcre: "/(^|[^A-Za-z0-9-])tradingnews\.io$/i"; classtype:trojan-activity; sid:4107511; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain tradingnews.io"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tradingnews.io"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tradingnews\.io[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107512; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname tradingview-brokers.skoconstructionng.com"; dns.query; content:"tradingview-brokers.skoconstructionng.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])tradingview\-brokers\.skoconstructionng\.com$/i"; classtype:trojan-activity; sid:4107521; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname tradingview-brokers.skoconstructionng.com"; flow:to_server,established; http.header; content: "Host|3a| tradingview-brokers.skoconstructionng.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])tradingview\-brokers\.skoconstructionng\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107522; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname tradingview-cost.skoconstructionng.com"; dns.query; content:"tradingview-cost.skoconstructionng.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])tradingview\-cost\.skoconstructionng\.com$/i"; classtype:trojan-activity; sid:4107531; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname tradingview-cost.skoconstructionng.com"; flow:to_server,established; http.header; content: "Host|3a| tradingview-cost.skoconstructionng.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])tradingview\-cost\.skoconstructionng\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107532; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname trezoir.sukmabali.com"; dns.query; content:"trezoir.sukmabali.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])trezoir\.sukmabali\.com$/i"; classtype:trojan-activity; sid:4107541; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname trezoir.sukmabali.com"; flow:to_server,established; http.header; content: "Host|3a| trezoir.sukmabali.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])trezoir\.sukmabali\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107542; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain trinitytalod.com"; dns.query; content:"trinitytalod.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])trinitytalod\.com$/i"; classtype:trojan-activity; sid:4107551; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain trinitytalod.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"trinitytalod.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])trinitytalod\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107552; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname ts.retailgen.com"; dns.query; content:"ts.retailgen.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ts\.retailgen\.com$/i"; classtype:trojan-activity; sid:4107561; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname ts.retailgen.com"; flow:to_server,established; http.header; content: "Host|3a| ts.retailgen.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ts\.retailgen\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107562; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain ttisi.pe"; dns.query; content:"ttisi.pe"; nocase; pcre: "/(^|[^A-Za-z0-9-])ttisi\.pe$/i"; classtype:trojan-activity; sid:4107571; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain ttisi.pe"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ttisi.pe"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ttisi\.pe[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107572; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname u522712.gluweb.nl"; dns.query; content:"u522712.gluweb.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])u522712\.gluweb\.nl$/i"; classtype:trojan-activity; sid:4107581; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname u522712.gluweb.nl"; flow:to_server,established; http.header; content: "Host|3a| u522712.gluweb.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])u522712\.gluweb\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107582; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain ultravioletinnovations.com"; dns.query; content:"ultravioletinnovations.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ultravioletinnovations\.com$/i"; classtype:trojan-activity; sid:4107591; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain ultravioletinnovations.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ultravioletinnovations.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ultravioletinnovations\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107592; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain united-alsafwa.com"; dns.query; content:"united-alsafwa.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])united\-alsafwa\.com$/i"; classtype:trojan-activity; sid:4107601; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain united-alsafwa.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"united-alsafwa.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])united\-alsafwa\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107602; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain upcomingengineer.com"; dns.query; content:"upcomingengineer.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])upcomingengineer\.com$/i"; classtype:trojan-activity; sid:4107611; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain upcomingengineer.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"upcomingengineer.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])upcomingengineer\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107612; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain uplauds.ai"; dns.query; content:"uplauds.ai"; nocase; pcre: "/(^|[^A-Za-z0-9-])uplauds\.ai$/i"; classtype:trojan-activity; sid:4107621; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain uplauds.ai"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uplauds.ai"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uplauds\.ai[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107622; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain uptownsparksenergy.com"; dns.query; content:"uptownsparksenergy.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])uptownsparksenergy\.com$/i"; classtype:trojan-activity; sid:4107631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain uptownsparksenergy.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uptownsparksenergy.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uptownsparksenergy\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107632; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain usapetfinder.com"; dns.query; content:"usapetfinder.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])usapetfinder\.com$/i"; classtype:trojan-activity; sid:4107641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain usapetfinder.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"usapetfinder.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])usapetfinder\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107642; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain uscshopping.net"; dns.query; content:"uscshopping.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])uscshopping\.net$/i"; classtype:trojan-activity; sid:4107651; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain uscshopping.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uscshopping.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uscshopping\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107652; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain vagansafety.org"; dns.query; content:"vagansafety.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])vagansafety\.org$/i"; classtype:trojan-activity; sid:4107661; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain vagansafety.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vagansafety.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vagansafety\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107662; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain vagaspet.com"; dns.query; content:"vagaspet.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])vagaspet\.com$/i"; classtype:trojan-activity; sid:4107671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain vagaspet.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vagaspet.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vagaspet\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107672; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain vente2000.com"; dns.query; content:"vente2000.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])vente2000\.com$/i"; classtype:trojan-activity; sid:4107681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain vente2000.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vente2000.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vente2000\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107682; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain ventoindia.in"; dns.query; content:"ventoindia.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])ventoindia\.in$/i"; classtype:trojan-activity; sid:4107691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain ventoindia.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ventoindia.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ventoindia\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107692; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain vertexcapitalinvestments.com"; dns.query; content:"vertexcapitalinvestments.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])vertexcapitalinvestments\.com$/i"; classtype:trojan-activity; sid:4107701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain vertexcapitalinvestments.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vertexcapitalinvestments.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vertexcapitalinvestments\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107702; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain veterinariaensuba.com"; dns.query; content:"veterinariaensuba.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])veterinariaensuba\.com$/i"; classtype:trojan-activity; sid:4107711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain veterinariaensuba.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"veterinariaensuba.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])veterinariaensuba\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107712; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain vidento.net"; dns.query; content:"vidento.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])vidento\.net$/i"; classtype:trojan-activity; sid:4107721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain vidento.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vidento.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vidento\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107722; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain vieiraadvocacia.net"; dns.query; content:"vieiraadvocacia.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])vieiraadvocacia\.net$/i"; classtype:trojan-activity; sid:4107731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain vieiraadvocacia.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vieiraadvocacia.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vieiraadvocacia\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107732; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain villabrih.com"; dns.query; content:"villabrih.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])villabrih\.com$/i"; classtype:trojan-activity; sid:4107741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain villabrih.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"villabrih.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])villabrih\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107742; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain vimalkitchenware.com"; dns.query; content:"vimalkitchenware.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])vimalkitchenware\.com$/i"; classtype:trojan-activity; sid:4107751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain vimalkitchenware.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vimalkitchenware.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vimalkitchenware\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107752; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain vintplay.com"; dns.query; content:"vintplay.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])vintplay\.com$/i"; classtype:trojan-activity; sid:4107761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain vintplay.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vintplay.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vintplay\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107762; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain visitsrilanka.net"; dns.query; content:"visitsrilanka.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])visitsrilanka\.net$/i"; classtype:trojan-activity; sid:4107771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain visitsrilanka.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"visitsrilanka.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])visitsrilanka\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107772; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain vivavita.hu"; dns.query; content:"vivavita.hu"; nocase; pcre: "/(^|[^A-Za-z0-9-])vivavita\.hu$/i"; classtype:trojan-activity; sid:4107781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain vivavita.hu"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vivavita.hu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vivavita\.hu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107782; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname voip.voipcallhub.com"; dns.query; content:"voip.voipcallhub.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])voip\.voipcallhub\.com$/i"; classtype:trojan-activity; sid:4107791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname voip.voipcallhub.com"; flow:to_server,established; http.header; content: "Host|3a| voip.voipcallhub.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])voip\.voipcallhub\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107792; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain voipcallhub.com"; dns.query; content:"voipcallhub.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])voipcallhub\.com$/i"; classtype:trojan-activity; sid:4107801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain voipcallhub.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"voipcallhub.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])voipcallhub\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107802; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname waterdata.smartfarmthailand.com"; dns.query; content:"waterdata.smartfarmthailand.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])waterdata\.smartfarmthailand\.com$/i"; classtype:trojan-activity; sid:4107811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname waterdata.smartfarmthailand.com"; flow:to_server,established; http.header; content: "Host|3a| waterdata.smartfarmthailand.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])waterdata\.smartfarmthailand\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107812; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain wearetlmdonation.org"; dns.query; content:"wearetlmdonation.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])wearetlmdonation\.org$/i"; classtype:trojan-activity; sid:4107821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain wearetlmdonation.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wearetlmdonation.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wearetlmdonation\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107822; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain welcomehaters.top"; dns.query; content:"welcomehaters.top"; nocase; pcre: "/(^|[^A-Za-z0-9-])welcomehaters\.top$/i"; classtype:trojan-activity; sid:4107831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain welcomehaters.top"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"welcomehaters.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])welcomehaters\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107832; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain wikimediagroup.net"; dns.query; content:"wikimediagroup.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])wikimediagroup\.net$/i"; classtype:trojan-activity; sid:4107841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain wikimediagroup.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wikimediagroup.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wikimediagroup\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107842; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain wissamyamout.com"; dns.query; content:"wissamyamout.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])wissamyamout\.com$/i"; classtype:trojan-activity; sid:4107851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain wissamyamout.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wissamyamout.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wissamyamout\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107852; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain wnctowing.com"; dns.query; content:"wnctowing.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])wnctowing\.com$/i"; classtype:trojan-activity; sid:4107861; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain wnctowing.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wnctowing.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wnctowing\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107862; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain works75.info"; dns.query; content:"works75.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])works75\.info$/i"; classtype:trojan-activity; sid:4107871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain works75.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"works75.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])works75\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107872; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain worldempoweredyouth.com"; dns.query; content:"worldempoweredyouth.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])worldempoweredyouth\.com$/i"; classtype:trojan-activity; sid:4107881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain worldempoweredyouth.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"worldempoweredyouth.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])worldempoweredyouth\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107882; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain worldofjain.com"; dns.query; content:"worldofjain.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])worldofjain\.com$/i"; classtype:trojan-activity; sid:4107891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain worldofjain.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"worldofjain.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])worldofjain\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107892; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Hostname www.totallybaked.ca"; dns.query; content:"www.totallybaked.ca"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.totallybaked\.ca$/i"; classtype:trojan-activity; sid:4107901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Hostname www.totallybaked.ca"; flow:to_server,established; http.header; content: "Host|3a| www.totallybaked.ca"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.totallybaked\.ca[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107902; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain xn--villanykuck-0eb.hu"; dns.query; content:"xn--villanykuck-0eb.hu"; nocase; pcre: "/(^|[^A-Za-z0-9-])xn\-\-villanykuck\-0eb\.hu$/i"; classtype:trojan-activity; sid:4107911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain xn--villanykuck-0eb.hu"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"xn--villanykuck-0eb.hu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])xn\-\-villanykuck\-0eb\.hu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107912; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain yamminecompany.com"; dns.query; content:"yamminecompany.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])yamminecompany\.com$/i"; classtype:trojan-activity; sid:4107921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain yamminecompany.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"yamminecompany.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])yamminecompany\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107922; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain yoowi.net"; dns.query; content:"yoowi.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])yoowi\.net$/i"; classtype:trojan-activity; sid:4107931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain yoowi.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"yoowi.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])yoowi\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107932; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain zappering.com"; dns.query; content:"zappering.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])zappering\.com$/i"; classtype:trojan-activity; sid:4107941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain zappering.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"zappering.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])zappering\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107942; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain zerriaadvertisingco.com"; dns.query; content:"zerriaadvertisingco.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])zerriaadvertisingco\.com$/i"; classtype:trojan-activity; sid:4107951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain zerriaadvertisingco.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"zerriaadvertisingco.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])zerriaadvertisingco\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107952; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert dns any any -> any any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Domain zinggr.com"; dns.query; content:"zinggr.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])zinggr\.com$/i"; classtype:trojan-activity; sid:4107961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e250 [misp-galaxy:mitre-attack-pattern="Phishing - T1566",circl:incident-classification="malware",circl:incident-classification="phishing",tlp:white] Outgoing HTTP Domain zinggr.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"zinggr.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])zinggr\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4107962; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/250;) alert ip $HOME_NET any -> 80.82.67.6 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 80.82.67.6"; classtype:trojan-activity; sid:4116631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert ip $HOME_NET any -> 185.236.78.28 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 185.236.78.28"; classtype:trojan-activity; sid:4116641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert ip $HOME_NET any -> 91.235.128.90 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 91.235.128.90"; classtype:trojan-activity; sid:4116651; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert ip $HOME_NET any -> 185.161.209.234 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 185.161.209.234"; classtype:trojan-activity; sid:4116661; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert ip $HOME_NET any -> 185.161.211.188 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 185.161.211.188"; classtype:trojan-activity; sid:4116671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert ip $HOME_NET any -> 80.82.67.165 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 80.82.67.165"; classtype:trojan-activity; sid:4116681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert ip $HOME_NET any -> 185.161.211.44 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 185.161.211.44"; classtype:trojan-activity; sid:4116691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert ip $HOME_NET any -> 139.28.37.102 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 139.28.37.102"; classtype:trojan-activity; sid:4116701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert ip $HOME_NET any -> 103.129.97.182 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 103.129.97.182"; classtype:trojan-activity; sid:4116711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert ip $HOME_NET any -> 179.43.151.200 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 179.43.151.200"; classtype:trojan-activity; sid:4116721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert ip $HOME_NET any -> 176.10.125.69 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 176.10.125.69"; classtype:trojan-activity; sid:4116731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert ip $HOME_NET any -> 139.28.37.224 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 139.28.37.224"; classtype:trojan-activity; sid:4116741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert ip $HOME_NET any -> 185.161.208.118 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 185.161.208.118"; classtype:trojan-activity; sid:4116751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert ip $HOME_NET any -> 185.161.211.97 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 185.161.211.97"; classtype:trojan-activity; sid:4116761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert ip $HOME_NET any -> 194.99.22.177 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 194.99.22.177"; classtype:trojan-activity; sid:4116771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert ip $HOME_NET any -> 88.119.170.217 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 88.119.170.217"; classtype:trojan-activity; sid:4116781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert ip $HOME_NET any -> 86.107.197.182 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 86.107.197.182"; classtype:trojan-activity; sid:4116791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert ip $HOME_NET any -> 194.61.233.56 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 194.61.233.56"; classtype:trojan-activity; sid:4116801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert ip $HOME_NET any -> 185.161.208.202 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 185.161.208.202"; classtype:trojan-activity; sid:4116811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert ip $HOME_NET any -> 185.236.78.3 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 185.236.78.3"; classtype:trojan-activity; sid:4116821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert ip $HOME_NET any -> 91.235.129.63 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 91.235.129.63"; classtype:trojan-activity; sid:4116831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert ip $HOME_NET any -> 5.252.176.40 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 5.252.176.40"; classtype:trojan-activity; sid:4116841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert ip $HOME_NET any -> 91.235.128.120 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 91.235.128.120"; classtype:trojan-activity; sid:4116851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert ip $HOME_NET any -> 192.46.209.208 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 192.46.209.208"; classtype:trojan-activity; sid:4116861; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert ip $HOME_NET any -> 139.28.36.81 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 139.28.36.81"; classtype:trojan-activity; sid:4116871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert ip $HOME_NET any -> 91.235.128.67 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 91.235.128.67"; classtype:trojan-activity; sid:4116881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert ip $HOME_NET any -> 185.161.209.87 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 185.161.209.87"; classtype:trojan-activity; sid:4116891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert ip $HOME_NET any -> 185.161.210.162 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 185.161.210.162"; classtype:trojan-activity; sid:4116901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert ip $HOME_NET any -> 91.235.128.197 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 91.235.128.197"; classtype:trojan-activity; sid:4116911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert ip $HOME_NET any -> 185.161.208.28 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 185.161.208.28"; classtype:trojan-activity; sid:4116921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert ip $HOME_NET any -> 37.120.247.137 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 37.120.247.137"; classtype:trojan-activity; sid:4116931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert ip $HOME_NET any -> 195.54.163.30 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 195.54.163.30"; classtype:trojan-activity; sid:4116941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert ip $HOME_NET any -> 185.236.78.15 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 185.236.78.15"; classtype:trojan-activity; sid:4116951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert ip $HOME_NET any -> 185.161.208.135 any (msg: "MISP e251 [misp-galaxy:mitre-intrusion-set="Winnti Group - G0044",tlp:white] Outgoing To IP: 185.161.208.135"; classtype:trojan-activity; sid:4116961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/251;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e252 [tlp:white,misp-galaxy:malpedia="Agent Tesla",misp-galaxy:mitre-malware="Agent Tesla - S0331"] Outgoing URL https|3a|//j.mp/chrehghghghghghghghghghcre"; tls.sni; content:"j.mp"; tag:session,600,seconds; classtype:trojan-activity; sid:4116981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/252;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e252 [tlp:white,misp-galaxy:malpedia="Agent Tesla",misp-galaxy:mitre-malware="Agent Tesla - S0331"] Outgoing URL https|3a|//download2389.mediafire.com/ya9tv6zqa1zg/95ggilwnqccbq6l/20.doc"; tls.sni; content:"download2389.mediafire.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4116991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/252;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e252 [tlp:white,misp-galaxy:malpedia="Agent Tesla",misp-galaxy:mitre-malware="Agent Tesla - S0331"] Outgoing URL https|3a|//8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_2e35a24e3e7b4efba4867a06c6271f32.txt"; tls.sni; content:"8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4117001; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/252;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e252 [tlp:white,misp-galaxy:malpedia="Agent Tesla",misp-galaxy:mitre-malware="Agent Tesla - S0331"] Outgoing URL https|3a|//8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_92ec48660f134f3bb502662383ca4ffb.txt"; tls.sni; content:"8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4117011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/252;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e252 [tlp:white,misp-galaxy:malpedia="Agent Tesla",misp-galaxy:mitre-malware="Agent Tesla - S0331"] Outgoing URL http|3a|//www.starinxxxgkular.duckdns.org/s1/20.txt"; flow:to_server,established; http.header; content:"www.starinxxxgkular.duckdns.org"; fast_pattern; nocase; http.uri; content:"/s1/20.txt"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4117021; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/252;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e252 [tlp:white,misp-galaxy:malpedia="Agent Tesla",misp-galaxy:mitre-malware="Agent Tesla - S0331"] Outgoing URL https|3a|//kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/20.html"; tls.sni; content:"kdaoskdokaodkwldld.blogspot.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4117031; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/252;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e252 [tlp:white,misp-galaxy:malpedia="Agent Tesla",misp-galaxy:mitre-malware="Agent Tesla - S0331"] Outgoing URL https|3a|//raw.githubusercontent.com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe"; tls.sni; content:"raw.githubusercontent.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4117041; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/252;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e252 [tlp:white,misp-galaxy:malpedia="Agent Tesla",misp-galaxy:mitre-malware="Agent Tesla - S0331"] Outgoing URL https|3a|//www.mediafire.com/file/qh5j3uy8qo8cpu7/FINAL+MAIN+vbs+-+Copy.vbs/file"; tls.sni; content:"www.mediafire.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4117051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/252;) alert http $HOME_NET any -> 23.106.123.15 $HTTP_PORTS (msg: "MISP e253 [misp-galaxy:malpedia="CryptBot",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",misp-galaxy:malpedia="Cobalt Strike",tlp:white] Outgoing URL http|3a|//23.106.123.15/logo.png"; flow:to_server,established; http.header; content:"23.106.123.15"; fast_pattern; nocase; http.uri; content:"/logo.png"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4117671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/253;) alert dns any any -> any any (msg: "MISP e253 [misp-galaxy:malpedia="CryptBot",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",misp-galaxy:malpedia="Cobalt Strike",tlp:white] Domain stonecrestnews.com"; dns.query; content:"stonecrestnews.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])stonecrestnews\.com$/i"; classtype:trojan-activity; sid:4117681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/253;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e253 [misp-galaxy:malpedia="CryptBot",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",misp-galaxy:malpedia="Cobalt Strike",tlp:white] Outgoing HTTP Domain stonecrestnews.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"stonecrestnews.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])stonecrestnews\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4117682; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/253;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e253 [misp-galaxy:malpedia="CryptBot",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",misp-galaxy:malpedia="Cobalt Strike",tlp:white] Outgoing URL http|3a|//theandersonco.com/wp_info.php"; flow:to_server,established; http.header; content:"theandersonco.com"; fast_pattern; nocase; http.uri; content:"/wp_info.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4117711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/253;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e253 [misp-galaxy:malpedia="CryptBot",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",misp-galaxy:malpedia="Cobalt Strike",tlp:white] Outgoing URL http|3a|//tomasubiera.com/wp_getcontent.php"; flow:to_server,established; http.header; content:"tomasubiera.com"; fast_pattern; nocase; http.uri; content:"/wp_getcontent.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4117741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/253;) alert ip $HOME_NET any -> 146.105.10.215 any (msg: "MISP e253 [misp-galaxy:malpedia="CryptBot",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",misp-galaxy:malpedia="Cobalt Strike",tlp:white] Outgoing To IP: 146.105.10.215"; classtype:trojan-activity; sid:4117801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/253;) alert ip $HOME_NET any -> 176.67.86.130 any (msg: "MISP e253 [misp-galaxy:malpedia="CryptBot",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",misp-galaxy:malpedia="Cobalt Strike",tlp:white] Outgoing To IP: 176.67.86.130"; classtype:trojan-activity; sid:4117811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/253;) alert ip $HOME_NET any -> 176.67.86.52 any (msg: "MISP e253 [misp-galaxy:malpedia="CryptBot",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",misp-galaxy:malpedia="Cobalt Strike",tlp:white] Outgoing To IP: 176.67.86.52"; classtype:trojan-activity; sid:4117821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/253;) alert ip $HOME_NET any -> 216.155.158.133 any (msg: "MISP e253 [misp-galaxy:malpedia="CryptBot",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",misp-galaxy:malpedia="Cobalt Strike",tlp:white] Outgoing To IP: 216.155.158.133"; classtype:trojan-activity; sid:4117831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/253;) alert ip $HOME_NET any -> 63.75.244.119 any (msg: "MISP e253 [misp-galaxy:malpedia="CryptBot",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",misp-galaxy:malpedia="Cobalt Strike",tlp:white] Outgoing To IP: 63.75.244.119"; classtype:trojan-activity; sid:4117841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/253;) alert ip $HOME_NET any -> 63.162.179.166 any (msg: "MISP e253 [misp-galaxy:malpedia="CryptBot",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",misp-galaxy:malpedia="Cobalt Strike",tlp:white] Outgoing To IP: 63.162.179.166"; classtype:trojan-activity; sid:4117851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/253;) alert ip $HOME_NET any -> 63.162.179.94 any (msg: "MISP e253 [misp-galaxy:malpedia="CryptBot",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",misp-galaxy:malpedia="Cobalt Strike",tlp:white] Outgoing To IP: 63.162.179.94"; classtype:trojan-activity; sid:4117861; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/253;) alert ip $HOME_NET any -> 63.75.245.144 any (msg: "MISP e253 [misp-galaxy:malpedia="CryptBot",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",misp-galaxy:malpedia="Cobalt Strike",tlp:white] Outgoing To IP: 63.75.245.144"; classtype:trojan-activity; sid:4117871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/253;) alert ip $HOME_NET any -> 63.75.245.239 any (msg: "MISP e253 [misp-galaxy:malpedia="CryptBot",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",misp-galaxy:malpedia="Cobalt Strike",tlp:white] Outgoing To IP: 63.75.245.239"; classtype:trojan-activity; sid:4117881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/253;) alert ip $HOME_NET any -> 63.75.247.114 any (msg: "MISP e253 [misp-galaxy:malpedia="CryptBot",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",misp-galaxy:malpedia="Cobalt Strike",tlp:white] Outgoing To IP: 63.75.247.114"; classtype:trojan-activity; sid:4117891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/253;) alert ip $HOME_NET any -> 91.234.254.144 any (msg: "MISP e253 [misp-galaxy:malpedia="CryptBot",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",misp-galaxy:malpedia="Cobalt Strike",tlp:white] Outgoing To IP: 91.234.254.144"; classtype:trojan-activity; sid:4117901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/253;) alert ip $HOME_NET any -> 23.106.123.15 any (msg: "MISP e253 [misp-galaxy:malpedia="CryptBot",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",misp-galaxy:malpedia="Cobalt Strike",tlp:white] Outgoing To IP: 23.106.123.15"; classtype:trojan-activity; sid:4117911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/253;) alert dns any any -> any any (msg: "MISP e253 [misp-galaxy:malpedia="CryptBot",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",misp-galaxy:malpedia="Cobalt Strike",tlp:white] Domain nordicmademedia.com"; dns.query; content:"nordicmademedia.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])nordicmademedia\.com$/i"; classtype:trojan-activity; sid:4117921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/253;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e253 [misp-galaxy:malpedia="CryptBot",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",misp-galaxy:malpedia="Cobalt Strike",tlp:white] Outgoing HTTP Domain nordicmademedia.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nordicmademedia.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nordicmademedia\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4117922; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/253;) alert dns any any -> any any (msg: "MISP e253 [misp-galaxy:malpedia="CryptBot",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",misp-galaxy:malpedia="Cobalt Strike",tlp:white] Domain tomasubiera.com"; dns.query; content:"tomasubiera.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])tomasubiera\.com$/i"; classtype:trojan-activity; sid:4117931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/253;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e253 [misp-galaxy:malpedia="CryptBot",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",misp-galaxy:malpedia="Cobalt Strike",tlp:white] Outgoing HTTP Domain tomasubiera.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tomasubiera.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tomasubiera\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4117932; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/253;) alert dns any any -> any any (msg: "MISP e253 [misp-galaxy:malpedia="CryptBot",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",misp-galaxy:malpedia="Cobalt Strike",tlp:white] Domain theandersonco.com"; dns.query; content:"theandersonco.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])theandersonco\.com$/i"; classtype:trojan-activity; sid:4117941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/253;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e253 [misp-galaxy:malpedia="CryptBot",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",misp-galaxy:malpedia="Cobalt Strike",tlp:white] Outgoing HTTP Domain theandersonco.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"theandersonco.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])theandersonco\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4117942; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/253;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain abiesvc.com"; dns.query; content:"abiesvc.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])abiesvc\.com$/i"; classtype:trojan-activity; sid:4120031; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain abiesvc.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"abiesvc.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])abiesvc\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120032; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain abiesvc.info"; dns.query; content:"abiesvc.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])abiesvc\.info$/i"; classtype:trojan-activity; sid:4120041; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain abiesvc.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"abiesvc.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])abiesvc\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120042; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname abiesvc.jp.net"; dns.query; content:"abiesvc.jp.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])abiesvc\.jp\.net$/i"; classtype:trojan-activity; sid:4120051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname abiesvc.jp.net"; flow:to_server,established; http.header; content: "Host|3a| abiesvc.jp.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])abiesvc\.jp\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120052; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname atom.publicvm.com"; dns.query; content:"atom.publicvm.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])atom\.publicvm\.com$/i"; classtype:trojan-activity; sid:4120061; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname atom.publicvm.com"; flow:to_server,established; http.header; content: "Host|3a| atom.publicvm.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])atom\.publicvm\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120062; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname att.gdrvupload.xyz"; dns.query; content:"att.gdrvupload.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])att\.gdrvupload\.xyz$/i"; classtype:trojan-activity; sid:4120071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname att.gdrvupload.xyz"; flow:to_server,established; http.header; content: "Host|3a| att.gdrvupload.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])att\.gdrvupload\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120072; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname authenticate.azure-drive.com"; dns.query; content:"authenticate.azure-drive.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])authenticate\.azure\-drive\.com$/i"; classtype:trojan-activity; sid:4120081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname authenticate.azure-drive.com"; flow:to_server,established; http.header; content: "Host|3a| authenticate.azure-drive.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])authenticate\.azure\-drive\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120082; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain azureprotect.xyz"; dns.query; content:"azureprotect.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])azureprotect\.xyz$/i"; classtype:trojan-activity; sid:4120091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain azureprotect.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"azureprotect.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])azureprotect\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120092; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname backup.163qiye.top"; dns.query; content:"backup.163qiye.top"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])backup\.163qiye\.top$/i"; classtype:trojan-activity; sid:4120101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname backup.163qiye.top"; flow:to_server,established; http.header; content: "Host|3a| backup.163qiye.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])backup\.163qiye\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120102; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain beenos.biz"; dns.query; content:"beenos.biz"; nocase; pcre: "/(^|[^A-Za-z0-9-])beenos\.biz$/i"; classtype:trojan-activity; sid:4120111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain beenos.biz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"beenos.biz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])beenos\.biz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120112; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain bhomes.cc"; dns.query; content:"bhomes.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-])bhomes\.cc$/i"; classtype:trojan-activity; sid:4120121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain bhomes.cc"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bhomes.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bhomes\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120122; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname bitcoinnews.mefound.com"; dns.query; content:"bitcoinnews.mefound.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bitcoinnews\.mefound\.com$/i"; classtype:trojan-activity; sid:4120131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname bitcoinnews.mefound.com"; flow:to_server,established; http.header; content: "Host|3a| bitcoinnews.mefound.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bitcoinnews\.mefound\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120132; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain bitflyer.team"; dns.query; content:"bitflyer.team"; nocase; pcre: "/(^|[^A-Za-z0-9-])bitflyer\.team$/i"; classtype:trojan-activity; sid:4120141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain bitflyer.team"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bitflyer.team"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bitflyer\.team[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120142; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname blog.cloudsecure.space"; dns.query; content:"blog.cloudsecure.space"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])blog\.cloudsecure\.space$/i"; classtype:trojan-activity; sid:4120151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname blog.cloudsecure.space"; flow:to_server,established; http.header; content: "Host|3a| blog.cloudsecure.space"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])blog\.cloudsecure\.space[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120152; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain buidihub.com"; dns.query; content:"buidihub.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])buidihub\.com$/i"; classtype:trojan-activity; sid:4120161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain buidihub.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"buidihub.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])buidihub\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120162; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain chemistryworld.us"; dns.query; content:"chemistryworld.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])chemistryworld\.us$/i"; classtype:trojan-activity; sid:4120181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain chemistryworld.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"chemistryworld.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])chemistryworld\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120182; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain circlecapital.us"; dns.query; content:"circlecapital.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])circlecapital\.us$/i"; classtype:trojan-activity; sid:4120191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain circlecapital.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"circlecapital.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])circlecapital\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120192; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname client.googleapis.online"; dns.query; content:"client.googleapis.online"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])client\.googleapis\.online$/i"; classtype:trojan-activity; sid:4120201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname client.googleapis.online"; flow:to_server,established; http.header; content: "Host|3a| client.googleapis.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])client\.googleapis\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120202; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname cloud.azure-service.com"; dns.query; content:"cloud.azure-service.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cloud\.azure\-service\.com$/i"; classtype:trojan-activity; sid:4120211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname cloud.azure-service.com"; flow:to_server,established; http.header; content: "Host|3a| cloud.azure-service.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cloud\.azure\-service\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120212; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname cloud.globalbrains.co"; dns.query; content:"cloud.globalbrains.co"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cloud\.globalbrains\.co$/i"; classtype:trojan-activity; sid:4120221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname cloud.globalbrains.co"; flow:to_server,established; http.header; content: "Host|3a| cloud.globalbrains.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cloud\.globalbrains\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120222; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname cloud.jumpshare.vip"; dns.query; content:"cloud.jumpshare.vip"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cloud\.jumpshare\.vip$/i"; classtype:trojan-activity; sid:4120231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname cloud.jumpshare.vip"; flow:to_server,established; http.header; content: "Host|3a| cloud.jumpshare.vip"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cloud\.jumpshare\.vip[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120232; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname cloud.venturelabo.co"; dns.query; content:"cloud.venturelabo.co"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cloud\.venturelabo\.co$/i"; classtype:trojan-activity; sid:4120241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname cloud.venturelabo.co"; flow:to_server,established; http.header; content: "Host|3a| cloud.venturelabo.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cloud\.venturelabo\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120242; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname cloudshare.jumpshare.vip"; dns.query; content:"cloudshare.jumpshare.vip"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cloudshare\.jumpshare\.vip$/i"; classtype:trojan-activity; sid:4120251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname cloudshare.jumpshare.vip"; flow:to_server,established; http.header; content: "Host|3a| cloudshare.jumpshare.vip"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cloudshare\.jumpshare\.vip[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120252; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain coin-squad.co"; dns.query; content:"coin-squad.co"; nocase; pcre: "/(^|[^A-Za-z0-9-])coin\-squad\.co$/i"; classtype:trojan-activity; sid:4120261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain coin-squad.co"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"coin-squad.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])coin\-squad\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120262; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain coinbig.dev"; dns.query; content:"coinbig.dev"; nocase; pcre: "/(^|[^A-Za-z0-9-])coinbig\.dev$/i"; classtype:trojan-activity; sid:4120271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain coinbig.dev"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"coinbig.dev"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])coinbig\.dev[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120272; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain coinbigex.com"; dns.query; content:"coinbigex.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])coinbigex\.com$/i"; classtype:trojan-activity; sid:4120281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain coinbigex.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"coinbigex.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])coinbigex\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120282; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain deepmind.fund"; dns.query; content:"deepmind.fund"; nocase; pcre: "/(^|[^A-Za-z0-9-])deepmind\.fund$/i"; classtype:trojan-activity; sid:4120291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain deepmind.fund"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"deepmind.fund"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])deepmind\.fund[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120292; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain dekryptcap.digital"; dns.query; content:"dekryptcap.digital"; nocase; pcre: "/(^|[^A-Za-z0-9-])dekryptcap\.digital$/i"; classtype:trojan-activity; sid:4120301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain dekryptcap.digital"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dekryptcap.digital"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dekryptcap\.digital[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120302; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain dllhost.xyz"; dns.query; content:"dllhost.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])dllhost\.xyz$/i"; classtype:trojan-activity; sid:4120311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain dllhost.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dllhost.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dllhost\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120312; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname doc.venturelabo.co"; dns.query; content:"doc.venturelabo.co"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])doc\.venturelabo\.co$/i"; classtype:trojan-activity; sid:4120321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname doc.venturelabo.co"; flow:to_server,established; http.header; content: "Host|3a| doc.venturelabo.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])doc\.venturelabo\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120322; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname doc.youbicapital.cc"; dns.query; content:"doc.youbicapital.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])doc\.youbicapital\.cc$/i"; classtype:trojan-activity; sid:4120331; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname doc.youbicapital.cc"; flow:to_server,established; http.header; content: "Host|3a| doc.youbicapital.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])doc\.youbicapital\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120332; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain doconline.top"; dns.query; content:"doconline.top"; nocase; pcre: "/(^|[^A-Za-z0-9-])doconline\.top$/i"; classtype:trojan-activity; sid:4120341; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain doconline.top"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"doconline.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])doconline\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120342; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname docs.azureword.com"; dns.query; content:"docs.azureword.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])docs\.azureword\.com$/i"; classtype:trojan-activity; sid:4120351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname docs.azureword.com"; flow:to_server,established; http.header; content: "Host|3a| docs.azureword.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])docs\.azureword\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120352; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname docs.coinbigex.com"; dns.query; content:"docs.coinbigex.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])docs\.coinbigex\.com$/i"; classtype:trojan-activity; sid:4120361; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname docs.coinbigex.com"; flow:to_server,established; http.header; content: "Host|3a| docs.coinbigex.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])docs\.coinbigex\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120362; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname docs.gdriveshare.top"; dns.query; content:"docs.gdriveshare.top"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])docs\.gdriveshare\.top$/i"; classtype:trojan-activity; sid:4120371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname docs.gdriveshare.top"; flow:to_server,established; http.header; content: "Host|3a| docs.gdriveshare.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])docs\.gdriveshare\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120372; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname docs.goglesheet.com"; dns.query; content:"docs.goglesheet.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])docs\.goglesheet\.com$/i"; classtype:trojan-activity; sid:4120381; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname docs.goglesheet.com"; flow:to_server,established; http.header; content: "Host|3a| docs.goglesheet.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])docs\.goglesheet\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120382; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname docs.securedigitalmarkets.co"; dns.query; content:"docs.securedigitalmarkets.co"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])docs\.securedigitalmarkets\.co$/i"; classtype:trojan-activity; sid:4120391; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname docs.securedigitalmarkets.co"; flow:to_server,established; http.header; content: "Host|3a| docs.securedigitalmarkets.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])docs\.securedigitalmarkets\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120392; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain docstream.online"; dns.query; content:"docstream.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])docstream\.online$/i"; classtype:trojan-activity; sid:4120401; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain docstream.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"docstream.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])docstream\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120402; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname document.antcapital.us"; dns.query; content:"document.antcapital.us"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])document\.antcapital\.us$/i"; classtype:trojan-activity; sid:4120411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname document.antcapital.us"; flow:to_server,established; http.header; content: "Host|3a| document.antcapital.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])document\.antcapital\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120412; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname document.bhomes.cc"; dns.query; content:"document.bhomes.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])document\.bhomes\.cc$/i"; classtype:trojan-activity; sid:4120421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname document.bhomes.cc"; flow:to_server,established; http.header; content: "Host|3a| document.bhomes.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])document\.bhomes\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120422; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname document.fastercapital.cc"; dns.query; content:"document.fastercapital.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])document\.fastercapital\.cc$/i"; classtype:trojan-activity; sid:4120431; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname document.fastercapital.cc"; flow:to_server,established; http.header; content: "Host|3a| document.fastercapital.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])document\.fastercapital\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120432; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname document.kraken-dev.com"; dns.query; content:"document.kraken-dev.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])document\.kraken\-dev\.com$/i"; classtype:trojan-activity; sid:4120441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname document.kraken-dev.com"; flow:to_server,established; http.header; content: "Host|3a| document.kraken-dev.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])document\.kraken\-dev\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120442; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname document.lundbergs.cc"; dns.query; content:"document.lundbergs.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])document\.lundbergs\.cc$/i"; classtype:trojan-activity; sid:4120451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname document.lundbergs.cc"; flow:to_server,established; http.header; content: "Host|3a| document.lundbergs.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])document\.lundbergs\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120452; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname document.skandiafastigheter.cc"; dns.query; content:"document.skandiafastigheter.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])document\.skandiafastigheter\.cc$/i"; classtype:trojan-activity; sid:4120461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname document.skandiafastigheter.cc"; flow:to_server,established; http.header; content: "Host|3a| document.skandiafastigheter.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])document\.skandiafastigheter\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120462; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain documentprotect.live"; dns.query; content:"documentprotect.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])documentprotect\.live$/i"; classtype:trojan-activity; sid:4120471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain documentprotect.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"documentprotect.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])documentprotect\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120472; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain documentprotect.pro"; dns.query; content:"documentprotect.pro"; nocase; pcre: "/(^|[^A-Za-z0-9-])documentprotect\.pro$/i"; classtype:trojan-activity; sid:4120481; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain documentprotect.pro"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"documentprotect.pro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])documentprotect\.pro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120482; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname documents.antcapital.us"; dns.query; content:"documents.antcapital.us"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])documents\.antcapital\.us$/i"; classtype:trojan-activity; sid:4120491; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname documents.antcapital.us"; flow:to_server,established; http.header; content: "Host|3a| documents.antcapital.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])documents\.antcapital\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120492; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain docuserver.xyz"; dns.query; content:"docuserver.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])docuserver\.xyz$/i"; classtype:trojan-activity; sid:4120501; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain docuserver.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"docuserver.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])docuserver\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120502; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname domainhost.dynamic-dns.net"; dns.query; content:"domainhost.dynamic-dns.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])domainhost\.dynamic\-dns\.net$/i"; classtype:trojan-activity; sid:4120511; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname domainhost.dynamic-dns.net"; flow:to_server,established; http.header; content: "Host|3a| domainhost.dynamic-dns.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])domainhost\.dynamic\-dns\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120512; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname download.azure-safe.com"; dns.query; content:"download.azure-safe.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])download\.azure\-safe\.com$/i"; classtype:trojan-activity; sid:4120521; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname download.azure-safe.com"; flow:to_server,established; http.header; content: "Host|3a| download.azure-safe.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])download\.azure\-safe\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120522; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname download.azure-service.com"; dns.query; content:"download.azure-service.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])download\.azure\-service\.com$/i"; classtype:trojan-activity; sid:4120531; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname download.azure-service.com"; flow:to_server,established; http.header; content: "Host|3a| download.azure-service.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])download\.azure\-service\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120532; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname download.gdriveupload.site"; dns.query; content:"download.gdriveupload.site"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])download\.gdriveupload\.site$/i"; classtype:trojan-activity; sid:4120541; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname download.gdriveupload.site"; flow:to_server,established; http.header; content: "Host|3a| download.gdriveupload.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])download\.gdriveupload\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120542; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname drives.googldrive.xyz"; dns.query; content:"drives.googldrive.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])drives\.googldrive\.xyz$/i"; classtype:trojan-activity; sid:4120551; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname drives.googldrive.xyz"; flow:to_server,established; http.header; content: "Host|3a| drives.googldrive.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])drives\.googldrive\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120552; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname drives.googlecloud.live"; dns.query; content:"drives.googlecloud.live"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])drives\.googlecloud\.live$/i"; classtype:trojan-activity; sid:4120561; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname drives.googlecloud.live"; flow:to_server,established; http.header; content: "Host|3a| drives.googlecloud.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])drives\.googlecloud\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120562; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname driveshare.googldrive.xyz"; dns.query; content:"driveshare.googldrive.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])driveshare\.googldrive\.xyz$/i"; classtype:trojan-activity; sid:4120571; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname driveshare.googldrive.xyz"; flow:to_server,established; http.header; content: "Host|3a| driveshare.googldrive.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])driveshare\.googldrive\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120572; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain dronefund.icu"; dns.query; content:"dronefund.icu"; nocase; pcre: "/(^|[^A-Za-z0-9-])dronefund\.icu$/i"; classtype:trojan-activity; sid:4120581; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain dronefund.icu"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dronefund.icu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dronefund\.icu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120582; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain drw.capital"; dns.query; content:"drw.capital"; nocase; pcre: "/(^|[^A-Za-z0-9-])drw\.capital$/i"; classtype:trojan-activity; sid:4120591; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain drw.capital"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"drw.capital"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])drw\.capital[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120592; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain eii.world"; dns.query; content:"eii.world"; nocase; pcre: "/(^|[^A-Za-z0-9-])eii\.world$/i"; classtype:trojan-activity; sid:4120601; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain eii.world"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"eii.world"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])eii\.world[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120602; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname etherscan.mrslove.com"; dns.query; content:"etherscan.mrslove.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])etherscan\.mrslove\.com$/i"; classtype:trojan-activity; sid:4120611; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname etherscan.mrslove.com"; flow:to_server,established; http.header; content: "Host|3a| etherscan.mrslove.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])etherscan\.mrslove\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120612; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname faq78.faqserv.com"; dns.query; content:"faq78.faqserv.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])faq78\.faqserv\.com$/i"; classtype:trojan-activity; sid:4120621; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname faq78.faqserv.com"; flow:to_server,established; http.header; content: "Host|3a| faq78.faqserv.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])faq78\.faqserv\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120622; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain fastdown.site"; dns.query; content:"fastdown.site"; nocase; pcre: "/(^|[^A-Za-z0-9-])fastdown\.site$/i"; classtype:trojan-activity; sid:4120631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain fastdown.site"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fastdown.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fastdown\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120632; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain fastercapital.cc"; dns.query; content:"fastercapital.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-])fastercapital\.cc$/i"; classtype:trojan-activity; sid:4120641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain fastercapital.cc"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fastercapital.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fastercapital\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120642; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname file.venturelabo.co"; dns.query; content:"file.venturelabo.co"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])file\.venturelabo\.co$/i"; classtype:trojan-activity; sid:4120651; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname file.venturelabo.co"; flow:to_server,established; http.header; content: "Host|3a| file.venturelabo.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])file\.venturelabo\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120652; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain filestream.download"; dns.query; content:"filestream.download"; nocase; pcre: "/(^|[^A-Za-z0-9-])filestream\.download$/i"; classtype:trojan-activity; sid:4120661; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain filestream.download"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"filestream.download"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])filestream\.download[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120662; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname foundico.mefound.com"; dns.query; content:"foundico.mefound.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])foundico\.mefound\.com$/i"; classtype:trojan-activity; sid:4120671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname foundico.mefound.com"; flow:to_server,established; http.header; content: "Host|3a| foundico.mefound.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])foundico\.mefound\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120672; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain galaxydigital.cc"; dns.query; content:"galaxydigital.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-])galaxydigital\.cc$/i"; classtype:trojan-activity; sid:4120681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain galaxydigital.cc"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"galaxydigital.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])galaxydigital\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120682; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain galaxydigital.cloud"; dns.query; content:"galaxydigital.cloud"; nocase; pcre: "/(^|[^A-Za-z0-9-])galaxydigital\.cloud$/i"; classtype:trojan-activity; sid:4120691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain galaxydigital.cloud"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"galaxydigital.cloud"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])galaxydigital\.cloud[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120692; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain googledrive.download"; dns.query; content:"googledrive.download"; nocase; pcre: "/(^|[^A-Za-z0-9-])googledrive\.download$/i"; classtype:trojan-activity; sid:4120701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain googledrive.download"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"googledrive.download"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])googledrive\.download[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120702; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain googledrive.email"; dns.query; content:"googledrive.email"; nocase; pcre: "/(^|[^A-Za-z0-9-])googledrive\.email$/i"; classtype:trojan-activity; sid:4120711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain googledrive.email"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"googledrive.email"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])googledrive\.email[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120712; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain googledrive.online"; dns.query; content:"googledrive.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])googledrive\.online$/i"; classtype:trojan-activity; sid:4120721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain googledrive.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"googledrive.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])googledrive\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120722; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname googledrive.publicvm.com"; dns.query; content:"googledrive.publicvm.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])googledrive\.publicvm\.com$/i"; classtype:trojan-activity; sid:4120731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname googledrive.publicvm.com"; flow:to_server,established; http.header; content: "Host|3a| googledrive.publicvm.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])googledrive\.publicvm\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120732; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain googleexplore.net"; dns.query; content:"googleexplore.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])googleexplore\.net$/i"; classtype:trojan-activity; sid:4120741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain googleexplore.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"googleexplore.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])googleexplore\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120742; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain googleservice.icu"; dns.query; content:"googleservice.icu"; nocase; pcre: "/(^|[^A-Za-z0-9-])googleservice\.icu$/i"; classtype:trojan-activity; sid:4120751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain googleservice.icu"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"googleservice.icu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])googleservice\.icu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120752; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain googleservice.xyz"; dns.query; content:"googleservice.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])googleservice\.xyz$/i"; classtype:trojan-activity; sid:4120761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain googleservice.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"googleservice.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])googleservice\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120762; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname gsheet.gdocsdown.com"; dns.query; content:"gsheet.gdocsdown.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])gsheet\.gdocsdown\.com$/i"; classtype:trojan-activity; sid:4120771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname gsheet.gdocsdown.com"; flow:to_server,established; http.header; content: "Host|3a| gsheet.gdocsdown.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])gsheet\.gdocsdown\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120772; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain hiccup.shop"; dns.query; content:"hiccup.shop"; nocase; pcre: "/(^|[^A-Za-z0-9-])hiccup\.shop$/i"; classtype:trojan-activity; sid:4120781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain hiccup.shop"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hiccup.shop"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hiccup\.shop[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120782; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain innoenergy.info"; dns.query; content:"innoenergy.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])innoenergy\.info$/i"; classtype:trojan-activity; sid:4120791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain innoenergy.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"innoenergy.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])innoenergy\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120792; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain isosecurity.xyz"; dns.query; content:"isosecurity.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])isosecurity\.xyz$/i"; classtype:trojan-activity; sid:4120801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain isosecurity.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"isosecurity.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])isosecurity\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120802; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain jack710.club"; dns.query; content:"jack710.club"; nocase; pcre: "/(^|[^A-Za-z0-9-])jack710\.club$/i"; classtype:trojan-activity; sid:4120811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain jack710.club"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jack710.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jack710\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120812; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain jumpshare.vip"; dns.query; content:"jumpshare.vip"; nocase; pcre: "/(^|[^A-Za-z0-9-])jumpshare\.vip$/i"; classtype:trojan-activity; sid:4120821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain jumpshare.vip"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jumpshare.vip"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jumpshare\.vip[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120822; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain kraken-dev.com"; dns.query; content:"kraken-dev.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])kraken\-dev\.com$/i"; classtype:trojan-activity; sid:4120831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain kraken-dev.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kraken-dev.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kraken\-dev\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120832; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname ledgerservice.itsaol.com"; dns.query; content:"ledgerservice.itsaol.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ledgerservice\.itsaol\.com$/i"; classtype:trojan-activity; sid:4120841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname ledgerservice.itsaol.com"; flow:to_server,established; http.header; content: "Host|3a| ledgerservice.itsaol.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ledgerservice\.itsaol\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120842; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain lemniscap.cc"; dns.query; content:"lemniscap.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-])lemniscap\.cc$/i"; classtype:trojan-activity; sid:4120851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain lemniscap.cc"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lemniscap.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lemniscap\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120852; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain lundbergs.cc"; dns.query; content:"lundbergs.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-])lundbergs\.cc$/i"; classtype:trojan-activity; sid:4120861; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain lundbergs.cc"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lundbergs.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lundbergs\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120862; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname mail.gdriveupload.info"; dns.query; content:"mail.gdriveupload.info"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.gdriveupload\.info$/i"; classtype:trojan-activity; sid:4120871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname mail.gdriveupload.info"; flow:to_server,established; http.header; content: "Host|3a| mail.gdriveupload.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.gdriveupload\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120872; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname mail.gmaildrive.site"; dns.query; content:"mail.gmaildrive.site"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.gmaildrive\.site$/i"; classtype:trojan-activity; sid:4120881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname mail.gmaildrive.site"; flow:to_server,established; http.header; content: "Host|3a| mail.gmaildrive.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.gmaildrive\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120882; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname mail.googleupload.info"; dns.query; content:"mail.googleupload.info"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.googleupload\.info$/i"; classtype:trojan-activity; sid:4120891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname mail.googleupload.info"; flow:to_server,established; http.header; content: "Host|3a| mail.googleupload.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.googleupload\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120892; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain mclland.com"; dns.query; content:"mclland.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mclland\.com$/i"; classtype:trojan-activity; sid:4120901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain mclland.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mclland.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mclland\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120902; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain microstratgey.com"; dns.query; content:"microstratgey.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])microstratgey\.com$/i"; classtype:trojan-activity; sid:4120911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain microstratgey.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"microstratgey.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])microstratgey\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120912; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname miss.outletalertsdaily.com"; dns.query; content:"miss.outletalertsdaily.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])miss\.outletalertsdaily\.com$/i"; classtype:trojan-activity; sid:4120921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname miss.outletalertsdaily.com"; flow:to_server,established; http.header; content: "Host|3a| miss.outletalertsdaily.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])miss\.outletalertsdaily\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120922; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname msoffice.qooqle.download"; dns.query; content:"msoffice.qooqle.download"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])msoffice\.qooqle\.download$/i"; classtype:trojan-activity; sid:4120931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname msoffice.qooqle.download"; flow:to_server,established; http.header; content: "Host|3a| msoffice.qooqle.download"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])msoffice\.qooqle\.download[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120932; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname note.onedocshare.com"; dns.query; content:"note.onedocshare.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])note\.onedocshare\.com$/i"; classtype:trojan-activity; sid:4120941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname note.onedocshare.com"; flow:to_server,established; http.header; content: "Host|3a| note.onedocshare.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])note\.onedocshare\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120942; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain onlinedocpage.org"; dns.query; content:"onlinedocpage.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])onlinedocpage\.org$/i"; classtype:trojan-activity; sid:4120951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain onlinedocpage.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"onlinedocpage.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])onlinedocpage\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120952; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname page.googledocpage.com"; dns.query; content:"page.googledocpage.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])page\.googledocpage\.com$/i"; classtype:trojan-activity; sid:4120961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname page.googledocpage.com"; flow:to_server,established; http.header; content: "Host|3a| page.googledocpage.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])page\.googledocpage\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120962; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname product.onlinedoc.dev"; dns.query; content:"product.onlinedoc.dev"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])product\.onlinedoc\.dev$/i"; classtype:trojan-activity; sid:4120971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname product.onlinedoc.dev"; flow:to_server,established; http.header; content: "Host|3a| product.onlinedoc.dev"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])product\.onlinedoc\.dev[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120972; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname protect.antcapital.us"; dns.query; content:"protect.antcapital.us"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])protect\.antcapital\.us$/i"; classtype:trojan-activity; sid:4120981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname protect.antcapital.us"; flow:to_server,established; http.header; content: "Host|3a| protect.antcapital.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])protect\.antcapital\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120982; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname protect.azure-drive.com"; dns.query; content:"protect.azure-drive.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])protect\.azure\-drive\.com$/i"; classtype:trojan-activity; sid:4120991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname protect.azure-drive.com"; flow:to_server,established; http.header; content: "Host|3a| protect.azure-drive.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])protect\.azure\-drive\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4120992; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname protect.venturelabo.co"; dns.query; content:"protect.venturelabo.co"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])protect\.venturelabo\.co$/i"; classtype:trojan-activity; sid:4121001; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname protect.venturelabo.co"; flow:to_server,established; http.header; content: "Host|3a| protect.venturelabo.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])protect\.venturelabo\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121002; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain protectoffice.club"; dns.query; content:"protectoffice.club"; nocase; pcre: "/(^|[^A-Za-z0-9-])protectoffice\.club$/i"; classtype:trojan-activity; sid:4121011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain protectoffice.club"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"protectoffice.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])protectoffice\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121012; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname pvset.itsaol.com"; dns.query; content:"pvset.itsaol.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])pvset\.itsaol\.com$/i"; classtype:trojan-activity; sid:4121021; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname pvset.itsaol.com"; flow:to_server,established; http.header; content: "Host|3a| pvset.itsaol.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])pvset\.itsaol\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121022; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain qooqle.download"; dns.query; content:"qooqle.download"; nocase; pcre: "/(^|[^A-Za-z0-9-])qooqle\.download$/i"; classtype:trojan-activity; sid:4121031; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain qooqle.download"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"qooqle.download"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])qooqle\.download[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121032; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain qoqle.online"; dns.query; content:"qoqle.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])qoqle\.online$/i"; classtype:trojan-activity; sid:4121041; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain qoqle.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"qoqle.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])qoqle\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121042; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain regcnlab.com"; dns.query; content:"regcnlab.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])regcnlab\.com$/i"; classtype:trojan-activity; sid:4121051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain regcnlab.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"regcnlab.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])regcnlab\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121052; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain reit.live"; dns.query; content:"reit.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])reit\.live$/i"; classtype:trojan-activity; sid:4121061; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain reit.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"reit.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])reit\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121062; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain securedigitalmarkets.ca"; dns.query; content:"securedigitalmarkets.ca"; nocase; pcre: "/(^|[^A-Za-z0-9-])securedigitalmarkets\.ca$/i"; classtype:trojan-activity; sid:4121071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain securedigitalmarkets.ca"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"securedigitalmarkets.ca"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])securedigitalmarkets\.ca[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121072; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname share.bloomcloud.org"; dns.query; content:"share.bloomcloud.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])share\.bloomcloud\.org$/i"; classtype:trojan-activity; sid:4121081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname share.bloomcloud.org"; flow:to_server,established; http.header; content: "Host|3a| share.bloomcloud.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])share\.bloomcloud\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121082; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname share.devprocloud.com"; dns.query; content:"share.devprocloud.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])share\.devprocloud\.com$/i"; classtype:trojan-activity; sid:4121091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname share.devprocloud.com"; flow:to_server,established; http.header; content: "Host|3a| share.devprocloud.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])share\.devprocloud\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121092; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname share.docuserver.xyz"; dns.query; content:"share.docuserver.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])share\.docuserver\.xyz$/i"; classtype:trojan-activity; sid:4121101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname share.docuserver.xyz"; flow:to_server,established; http.header; content: "Host|3a| share.docuserver.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])share\.docuserver\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121102; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname share.stablemarket.org"; dns.query; content:"share.stablemarket.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])share\.stablemarket\.org$/i"; classtype:trojan-activity; sid:4121111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname share.stablemarket.org"; flow:to_server,established; http.header; content: "Host|3a| share.stablemarket.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])share\.stablemarket\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121112; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain sharedocs.xyz"; dns.query; content:"sharedocs.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])sharedocs\.xyz$/i"; classtype:trojan-activity; sid:4121121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain sharedocs.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sharedocs.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sharedocs\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121122; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname signverydn.sharebusiness.xyz"; dns.query; content:"signverydn.sharebusiness.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])signverydn\.sharebusiness\.xyz$/i"; classtype:trojan-activity; sid:4121131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname signverydn.sharebusiness.xyz"; flow:to_server,established; http.header; content: "Host|3a| signverydn.sharebusiness.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])signverydn\.sharebusiness\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121132; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain sinovationventures.co"; dns.query; content:"sinovationventures.co"; nocase; pcre: "/(^|[^A-Za-z0-9-])sinovationventures\.co$/i"; classtype:trojan-activity; sid:4121141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain sinovationventures.co"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sinovationventures.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sinovationventures\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121142; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain skandiafastigheter.cc"; dns.query; content:"skandiafastigheter.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-])skandiafastigheter\.cc$/i"; classtype:trojan-activity; sid:4121151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain skandiafastigheter.cc"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"skandiafastigheter.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])skandiafastigheter\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121152; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname slot0.regcnlab.com"; dns.query; content:"slot0.regcnlab.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])slot0\.regcnlab\.com$/i"; classtype:trojan-activity; sid:4121161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname slot0.regcnlab.com"; flow:to_server,established; http.header; content: "Host|3a| slot0.regcnlab.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])slot0\.regcnlab\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121162; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname svr04.faqserv.com"; dns.query; content:"svr04.faqserv.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])svr04\.faqserv\.com$/i"; classtype:trojan-activity; sid:4121171; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname svr04.faqserv.com"; flow:to_server,established; http.header; content: "Host|3a| svr04.faqserv.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])svr04\.faqserv\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121172; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname tokenhub.mefound.com"; dns.query; content:"tokenhub.mefound.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])tokenhub\.mefound\.com$/i"; classtype:trojan-activity; sid:4121181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname tokenhub.mefound.com"; flow:to_server,established; http.header; content: "Host|3a| tokenhub.mefound.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])tokenhub\.mefound\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121182; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname tokentrack.mrbasic.com"; dns.query; content:"tokentrack.mrbasic.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])tokentrack\.mrbasic\.com$/i"; classtype:trojan-activity; sid:4121191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname tokentrack.mrbasic.com"; flow:to_server,established; http.header; content: "Host|3a| tokentrack.mrbasic.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])tokentrack\.mrbasic\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121192; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname twosigma.publicvm.com"; dns.query; content:"twosigma.publicvm.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])twosigma\.publicvm\.com$/i"; classtype:trojan-activity; sid:4121201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname twosigma.publicvm.com"; flow:to_server,established; http.header; content: "Host|3a| twosigma.publicvm.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])twosigma\.publicvm\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121202; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname up.digifincx.com"; dns.query; content:"up.digifincx.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])up\.digifincx\.com$/i"; classtype:trojan-activity; sid:4121211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname up.digifincx.com"; flow:to_server,established; http.header; content: "Host|3a| up.digifincx.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])up\.digifincx\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121212; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain updatepool.online"; dns.query; content:"updatepool.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])updatepool\.online$/i"; classtype:trojan-activity; sid:4121231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain updatepool.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"updatepool.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])updatepool\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121232; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname upload.gdrives.best"; dns.query; content:"upload.gdrives.best"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])upload\.gdrives\.best$/i"; classtype:trojan-activity; sid:4121241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname upload.gdrives.best"; flow:to_server,established; http.header; content: "Host|3a| upload.gdrives.best"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])upload\.gdrives\.best[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121242; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain venturelabo.co"; dns.query; content:"venturelabo.co"; nocase; pcre: "/(^|[^A-Za-z0-9-])venturelabo\.co$/i"; classtype:trojan-activity; sid:4121251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain venturelabo.co"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"venturelabo.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])venturelabo\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121252; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname verify.googleauth.pro"; dns.query; content:"verify.googleauth.pro"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])verify\.googleauth\.pro$/i"; classtype:trojan-activity; sid:4121261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname verify.googleauth.pro"; flow:to_server,established; http.header; content: "Host|3a| verify.googleauth.pro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])verify\.googleauth\.pro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121262; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname word.azureword.com"; dns.query; content:"word.azureword.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])word\.azureword\.com$/i"; classtype:trojan-activity; sid:4121271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname word.azureword.com"; flow:to_server,established; http.header; content: "Host|3a| word.azureword.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])word\.azureword\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121272; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname www.googledocpage.com"; dns.query; content:"www.googledocpage.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.googledocpage\.com$/i"; classtype:trojan-activity; sid:4121281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname www.googledocpage.com"; flow:to_server,established; http.header; content: "Host|3a| www.googledocpage.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.googledocpage\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121282; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname www.googlesheetpage.org"; dns.query; content:"www.googlesheetpage.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.googlesheetpage\.org$/i"; classtype:trojan-activity; sid:4121291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname www.googlesheetpage.org"; flow:to_server,established; http.header; content: "Host|3a| www.googlesheetpage.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.googlesheetpage\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121292; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname www.onlinedocpage.org"; dns.query; content:"www.onlinedocpage.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.onlinedocpage\.org$/i"; classtype:trojan-activity; sid:4121301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname www.onlinedocpage.org"; flow:to_server,established; http.header; content: "Host|3a| www.onlinedocpage.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.onlinedocpage\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121302; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Domain youbicapital.cc"; dns.query; content:"youbicapital.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-])youbicapital\.cc$/i"; classtype:trojan-activity; sid:4121311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Domain youbicapital.cc"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"youbicapital.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])youbicapital\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121312; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert ip $HOME_NET any -> 118.70.116.154 8080 (msg: "MISP e254 [tlp:white] Outgoing To IP: 118.70.116.154|8080"; classtype:trojan-activity; sid:4121321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert ip $HOME_NET any -> 163.25.24.44 any (msg: "MISP e254 [tlp:white] Outgoing To IP: 163.25.24.44"; classtype:trojan-activity; sid:4121331; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert ip $HOME_NET any -> 45.238.25.2 any (msg: "MISP e254 [tlp:white] Outgoing To IP: 45.238.25.2"; classtype:trojan-activity; sid:4121341; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname devstar.dnsrd.com"; dns.query; content:"devstar.dnsrd.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])devstar\.dnsrd\.com$/i"; classtype:trojan-activity; sid:4121351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname devstar.dnsrd.com"; flow:to_server,established; http.header; content: "Host|3a| devstar.dnsrd.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])devstar\.dnsrd\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121352; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname fxbet.linkpc.net"; dns.query; content:"fxbet.linkpc.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])fxbet\.linkpc\.net$/i"; classtype:trojan-activity; sid:4121361; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname fxbet.linkpc.net"; flow:to_server,established; http.header; content: "Host|3a| fxbet.linkpc.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])fxbet\.linkpc\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121362; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname lservs.linkpc.net"; dns.query; content:"lservs.linkpc.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])lservs\.linkpc\.net$/i"; classtype:trojan-activity; sid:4121371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname lservs.linkpc.net"; flow:to_server,established; http.header; content: "Host|3a| lservs.linkpc.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])lservs\.linkpc\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121372; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname mmsreceive.linkpc.net"; dns.query; content:"mmsreceive.linkpc.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mmsreceive\.linkpc\.net$/i"; classtype:trojan-activity; sid:4121381; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname mmsreceive.linkpc.net"; flow:to_server,established; http.header; content: "Host|3a| mmsreceive.linkpc.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mmsreceive\.linkpc\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121382; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname msservices.hxxps443.org"; dns.query; content:"msservices.hxxps443.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])msservices\.hxxps443\.org$/i"; classtype:trojan-activity; sid:4121391; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname msservices.hxxps443.org"; flow:to_server,established; http.header; content: "Host|3a| msservices.hxxps443.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])msservices\.hxxps443\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121392; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname onlineshoping.publicvm.com"; dns.query; content:"onlineshoping.publicvm.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])onlineshoping\.publicvm\.com$/i"; classtype:trojan-activity; sid:4121401; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname onlineshoping.publicvm.com"; flow:to_server,established; http.header; content: "Host|3a| onlineshoping.publicvm.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])onlineshoping\.publicvm\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121402; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname palconshop.linkpc.net"; dns.query; content:"palconshop.linkpc.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])palconshop\.linkpc\.net$/i"; classtype:trojan-activity; sid:4121411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname palconshop.linkpc.net"; flow:to_server,established; http.header; content: "Host|3a| palconshop.linkpc.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])palconshop\.linkpc\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121412; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname pokersonic.publicvm.com"; dns.query; content:"pokersonic.publicvm.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])pokersonic\.publicvm\.com$/i"; classtype:trojan-activity; sid:4121421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname pokersonic.publicvm.com"; flow:to_server,established; http.header; content: "Host|3a| pokersonic.publicvm.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])pokersonic\.publicvm\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121422; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname press.linkpc.net"; dns.query; content:"press.linkpc.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])press\.linkpc\.net$/i"; classtype:trojan-activity; sid:4121431; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname press.linkpc.net"; flow:to_server,established; http.header; content: "Host|3a| press.linkpc.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])press\.linkpc\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121432; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname rubbishshop.linkpc.net"; dns.query; content:"rubbishshop.linkpc.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])rubbishshop\.linkpc\.net$/i"; classtype:trojan-activity; sid:4121441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname rubbishshop.linkpc.net"; flow:to_server,established; http.header; content: "Host|3a| rubbishshop.linkpc.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])rubbishshop\.linkpc\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121442; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname rubbishshop.publicvm.com"; dns.query; content:"rubbishshop.publicvm.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])rubbishshop\.publicvm\.com$/i"; classtype:trojan-activity; sid:4121451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname rubbishshop.publicvm.com"; flow:to_server,established; http.header; content: "Host|3a| rubbishshop.publicvm.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])rubbishshop\.publicvm\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121452; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname socins.publicvm.com"; dns.query; content:"socins.publicvm.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])socins\.publicvm\.com$/i"; classtype:trojan-activity; sid:4121461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname socins.publicvm.com"; flow:to_server,established; http.header; content: "Host|3a| socins.publicvm.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])socins\.publicvm\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121462; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert dns any any -> any any (msg: "MISP e254 [tlp:white] Hostname vpsfree.linkpc.net"; dns.query; content:"vpsfree.linkpc.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])vpsfree\.linkpc\.net$/i"; classtype:trojan-activity; sid:4121471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e254 [tlp:white] Outgoing HTTP Hostname vpsfree.linkpc.net"; flow:to_server,established; http.header; content: "Host|3a| vpsfree.linkpc.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])vpsfree\.linkpc\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4121472; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/254;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e257 [tlp:white] Outgoing URL fizi4aqe7hpsts3r.onion/hci/client.php"; flow:to_server,established; http.uri; content:"fizi4aqe7hpsts3r.onion/hci/client.php"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4121741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/257;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e257 [tlp:white] Outgoing URL https|3a|//www.genou-alsace.fr/putty.zip"; tls.sni; content:"www.genou-alsace.fr"; tag:session,600,seconds; classtype:trojan-activity; sid:4121761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/257;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e257 [tlp:white] Outgoing URL https|3a|//addendasoftware.com/blog2/wp-content/uploads/2021/11/putty.zip"; tls.sni; content:"addendasoftware.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4121771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/257;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e257 [tlp:white] Outgoing URL http|3a|//www.energym63.com/10451372/putty2.zip"; flow:to_server,established; http.header; content:"www.energym63.com"; fast_pattern; nocase; http.uri; content:"/10451372/putty2.zip"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4121781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/257;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e257 [tlp:white] Outgoing URL http|3a|//laurentabert.fr/setup.zip"; flow:to_server,established; http.header; content:"laurentabert.fr"; fast_pattern; nocase; http.uri; content:"/setup.zip"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4121791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/257;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e257 [tlp:white] Outgoing URL http|3a|//www.energym63.com/10451372/cports.exe"; flow:to_server,established; http.header; content:"www.energym63.com"; fast_pattern; nocase; http.uri; content:"/10451372/cports.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4121801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/257;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e257 [tlp:white] Outgoing URL http|3a|//www.palette-events.com/css/|5c|_notes/putty.zip"; flow:to_server,established; http.header; content:"www.palette-events.com"; fast_pattern; nocase; http.uri; content:"/css/\_notes/putty.zip"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4121811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/257;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e257 [tlp:white] Outgoing URL https|3a|//baloobajojonako.fr/panel/client.php?47F3640E5BCAD613"; tls.sni; content:"baloobajojonako.fr"; tag:session,600,seconds; classtype:trojan-activity; sid:4121831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/257;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e257 [tlp:white] Outgoing URL http|3a|//www.lightcharts.com/old-website/putty.zip"; flow:to_server,established; http.header; content:"www.lightcharts.com"; fast_pattern; nocase; http.uri; content:"/old-website/putty.zip"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4121841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/257;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e257 [tlp:white] Outgoing URL https|3a|//www.edmf.org/redirect|5c|_d2CORIvmZ/putty.zip"; tls.sni; content:"www.edmf.org"; tag:session,600,seconds; classtype:trojan-activity; sid:4121851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/257;) alert ip $HOME_NET any -> 105.112.101.7 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.101.7"; classtype:trojan-activity; sid:4121911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.102.213 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.102.213"; classtype:trojan-activity; sid:4121921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.107.100 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.107.100"; classtype:trojan-activity; sid:4121931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.109.252 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.109.252"; classtype:trojan-activity; sid:4121941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.113.164 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.113.164"; classtype:trojan-activity; sid:4121951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.113.250 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.113.250"; classtype:trojan-activity; sid:4121961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.114.120 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.114.120"; classtype:trojan-activity; sid:4121971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.115.230 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.115.230"; classtype:trojan-activity; sid:4121981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.115.4 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.115.4"; classtype:trojan-activity; sid:4121991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.117.199 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.117.199"; classtype:trojan-activity; sid:4122001; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.121.59 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.121.59"; classtype:trojan-activity; sid:4122011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.144.173 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.144.173"; classtype:trojan-activity; sid:4122021; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.144.56 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.144.56"; classtype:trojan-activity; sid:4122031; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.144.77 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.144.77"; classtype:trojan-activity; sid:4122041; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.145.6 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.145.6"; classtype:trojan-activity; sid:4122051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.147.156 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.147.156"; classtype:trojan-activity; sid:4122061; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.147.20 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.147.20"; classtype:trojan-activity; sid:4122071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.148.252 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.148.252"; classtype:trojan-activity; sid:4122081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.148.60 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.148.60"; classtype:trojan-activity; sid:4122091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.150.35 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.150.35"; classtype:trojan-activity; sid:4122101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.178.164 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.178.164"; classtype:trojan-activity; sid:4122111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.26.202 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.26.202"; classtype:trojan-activity; sid:4122121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.32.44 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.32.44"; classtype:trojan-activity; sid:4122131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.33.155 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.33.155"; classtype:trojan-activity; sid:4122141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.33.233 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.33.233"; classtype:trojan-activity; sid:4122151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.33.40 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.33.40"; classtype:trojan-activity; sid:4122161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.35.117 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.35.117"; classtype:trojan-activity; sid:4122171; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.37.192 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.37.192"; classtype:trojan-activity; sid:4122181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.37.193 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.37.193"; classtype:trojan-activity; sid:4122191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.37.222 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.37.222"; classtype:trojan-activity; sid:4122201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.38.173 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.38.173"; classtype:trojan-activity; sid:4122211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.38.201 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.38.201"; classtype:trojan-activity; sid:4122221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.38.218 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.38.218"; classtype:trojan-activity; sid:4122231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.38.249 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.38.249"; classtype:trojan-activity; sid:4122241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.39.130 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.39.130"; classtype:trojan-activity; sid:4122251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.39.167 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.39.167"; classtype:trojan-activity; sid:4122261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.41.0 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.41.0"; classtype:trojan-activity; sid:4122271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.41.149 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.41.149"; classtype:trojan-activity; sid:4122281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.46.233 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.46.233"; classtype:trojan-activity; sid:4122291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.46.38 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.46.38"; classtype:trojan-activity; sid:4122301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.50.73 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.50.73"; classtype:trojan-activity; sid:4122311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 105.112.50.80 any (msg: "MISP e259 [misp-galaxy:financial-fraud="Business Email Compromise",misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",tlp:white] Outgoing To IP: 105.112.50.80"; classtype:trojan-activity; sid:4122321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/259;) alert ip $HOME_NET any -> 185.178.209.193 any (msg: "MISP e260 [misp-galaxy:malpedia="Conti Ransomware",misp-galaxy:mitre-malware="Conti - S0575",tlp:white,misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003",misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",misp-galaxy:mitre-attack-pattern="Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490",misp-galaxy:mitre-attack-pattern="Service Stop - T1489",misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",dhs-ciip-sectors:DHS-critical-sectors="critical-manufacturing"] Outgoing To IP: 185.178.209.193"; classtype:trojan-activity; sid:4123651; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/260;) alert ip $HOME_NET any -> 195.123.217.36 any (msg: "MISP e260 [misp-galaxy:malpedia="Conti Ransomware",misp-galaxy:mitre-malware="Conti - S0575",tlp:white,misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003",misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",misp-galaxy:mitre-attack-pattern="Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490",misp-galaxy:mitre-attack-pattern="Service Stop - T1489",misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",dhs-ciip-sectors:DHS-critical-sectors="critical-manufacturing"] Outgoing To IP: 195.123.217.36"; classtype:trojan-activity; sid:4123661; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/260;) alert ip $HOME_NET any -> 195.123.222.2 any (msg: "MISP e260 [misp-galaxy:malpedia="Conti Ransomware",misp-galaxy:mitre-malware="Conti - S0575",tlp:white,misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003",misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",misp-galaxy:mitre-attack-pattern="Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490",misp-galaxy:mitre-attack-pattern="Service Stop - T1489",misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",dhs-ciip-sectors:DHS-critical-sectors="critical-manufacturing"] Outgoing To IP: 195.123.222.2"; classtype:trojan-activity; sid:4123671; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/260;) alert ip $HOME_NET any -> 162.244.80.177 any (msg: "MISP e260 [misp-galaxy:malpedia="Conti Ransomware",misp-galaxy:mitre-malware="Conti - S0575",tlp:white,misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003",misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",misp-galaxy:mitre-attack-pattern="Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490",misp-galaxy:mitre-attack-pattern="Service Stop - T1489",misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",dhs-ciip-sectors:DHS-critical-sectors="critical-manufacturing"] Outgoing To IP: 162.244.80.177"; classtype:trojan-activity; sid:4123681; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/260;) alert ip $HOME_NET any -> 185.206.21.82 any (msg: "MISP e260 [misp-galaxy:malpedia="Conti Ransomware",misp-galaxy:mitre-malware="Conti - S0575",tlp:white,misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003",misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",misp-galaxy:mitre-attack-pattern="Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490",misp-galaxy:mitre-attack-pattern="Service Stop - T1489",misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",dhs-ciip-sectors:DHS-critical-sectors="critical-manufacturing"] Outgoing To IP: 185.206.21.82"; classtype:trojan-activity; sid:4123691; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/260;) alert ip $HOME_NET any -> 217.12.202.115 any (msg: "MISP e260 [misp-galaxy:malpedia="Conti Ransomware",misp-galaxy:mitre-malware="Conti - S0575",tlp:white,misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003",misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",misp-galaxy:mitre-attack-pattern="Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490",misp-galaxy:mitre-attack-pattern="Service Stop - T1489",misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",dhs-ciip-sectors:DHS-critical-sectors="critical-manufacturing"] Outgoing To IP: 217.12.202.115"; classtype:trojan-activity; sid:4123701; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/260;) alert ip $HOME_NET any -> 217.12.202.207 any (msg: "MISP e260 [misp-galaxy:malpedia="Conti Ransomware",misp-galaxy:mitre-malware="Conti - S0575",tlp:white,misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003",misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",misp-galaxy:mitre-attack-pattern="Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490",misp-galaxy:mitre-attack-pattern="Service Stop - T1489",misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",dhs-ciip-sectors:DHS-critical-sectors="critical-manufacturing"] Outgoing To IP: 217.12.202.207"; classtype:trojan-activity; sid:4123711; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/260;) alert dns any any -> any any (msg: "MISP e260 [misp-galaxy:malpedia="Conti Ransomware",misp-galaxy:mitre-malware="Conti - S0575",tlp:white,misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003",misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",misp-galaxy:mitre-attack-pattern="Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490",misp-galaxy:mitre-attack-pattern="Service Stop - T1489",misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",dhs-ciip-sectors:DHS-critical-sectors="critical-manufacturing"] Domain bestarg.com"; dns.query; content:"bestarg.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bestarg\.com$/i"; classtype:trojan-activity; sid:4123721; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/260;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e260 [misp-galaxy:malpedia="Conti Ransomware",misp-galaxy:mitre-malware="Conti - S0575",tlp:white,misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003",misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",misp-galaxy:mitre-attack-pattern="Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490",misp-galaxy:mitre-attack-pattern="Service Stop - T1489",misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",dhs-ciip-sectors:DHS-critical-sectors="critical-manufacturing"] Outgoing HTTP Domain bestarg.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bestarg.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bestarg\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4123722; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/260;) alert dns any any -> any any (msg: "MISP e260 [misp-galaxy:malpedia="Conti Ransomware",misp-galaxy:mitre-malware="Conti - S0575",tlp:white,misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003",misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",misp-galaxy:mitre-attack-pattern="Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490",misp-galaxy:mitre-attack-pattern="Service Stop - T1489",misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",dhs-ciip-sectors:DHS-critical-sectors="critical-manufacturing"] Domain gue.life"; dns.query; content:"gue.life"; nocase; pcre: "/(^|[^A-Za-z0-9-])gue\.life$/i"; classtype:trojan-activity; sid:4123731; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/260;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e260 [misp-galaxy:malpedia="Conti Ransomware",misp-galaxy:mitre-malware="Conti - S0575",tlp:white,misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003",misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",misp-galaxy:mitre-attack-pattern="Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490",misp-galaxy:mitre-attack-pattern="Service Stop - T1489",misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",dhs-ciip-sectors:DHS-critical-sectors="critical-manufacturing"] Outgoing HTTP Domain gue.life"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gue.life"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gue\.life[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4123732; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/260;) alert dns any any -> any any (msg: "MISP e260 [misp-galaxy:malpedia="Conti Ransomware",misp-galaxy:mitre-malware="Conti - S0575",tlp:white,misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003",misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",misp-galaxy:mitre-attack-pattern="Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490",misp-galaxy:mitre-attack-pattern="Service Stop - T1489",misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",dhs-ciip-sectors:DHS-critical-sectors="critical-manufacturing"] Domain leafrace.com"; dns.query; content:"leafrace.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])leafrace\.com$/i"; classtype:trojan-activity; sid:4123741; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/260;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e260 [misp-galaxy:malpedia="Conti Ransomware",misp-galaxy:mitre-malware="Conti - S0575",tlp:white,misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003",misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002",misp-galaxy:mitre-attack-pattern="Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490",misp-galaxy:mitre-attack-pattern="Service Stop - T1489",misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",dhs-ciip-sectors:DHS-critical-sectors="critical-manufacturing"] Outgoing HTTP Domain leafrace.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"leafrace.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])leafrace\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4123742; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/260;) alert dns any any -> any any (msg: "MISP e262 [tlp:white,misp-galaxy:mitre-enterprise-attack-attack-pattern="Remote Access Tools - T1219"] Domain sharingmymedia.com"; dns.query; content:"sharingmymedia.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sharingmymedia\.com$/i"; classtype:trojan-activity; sid:4124361; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/262;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e262 [tlp:white,misp-galaxy:mitre-enterprise-attack-attack-pattern="Remote Access Tools - T1219"] Outgoing HTTP Domain sharingmymedia.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sharingmymedia.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sharingmymedia\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4124362; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/262;) alert dns any any -> any any (msg: "MISP e262 [tlp:white,misp-galaxy:mitre-enterprise-attack-attack-pattern="Remote Access Tools - T1219"] Domain viral91.xyz"; dns.query; content:"viral91.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])viral91\.xyz$/i"; classtype:trojan-activity; sid:4124381; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/262;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e262 [tlp:white,misp-galaxy:mitre-enterprise-attack-attack-pattern="Remote Access Tools - T1219"] Outgoing HTTP Domain viral91.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"viral91.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])viral91\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4124382; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/262;) alert ip $HOME_NET any -> 209.127.19.241 10284 (msg: "MISP e262 [tlp:white,misp-galaxy:mitre-enterprise-attack-attack-pattern="Remote Access Tools - T1219"] Outgoing To IP: 209.127.19.241|10284"; classtype:trojan-activity; sid:4124391; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/262;) alert ip $HOME_NET any -> 209.127.19.241 10284 (msg: "MISP e262 [tlp:white,misp-galaxy:mitre-enterprise-attack-attack-pattern="Remote Access Tools - T1219"] Outgoing To IP: 209.127.19.241|10284"; classtype:trojan-activity; sid:4124471; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/262;) alert ip $HOME_NET any -> 185.136.161.124 any (msg: "MISP e262 [tlp:white,misp-galaxy:mitre-enterprise-attack-attack-pattern="Remote Access Tools - T1219"] Outgoing To IP: 185.136.161.124"; classtype:trojan-activity; sid:4124481; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/262;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e262 [tlp:white,misp-galaxy:mitre-enterprise-attack-attack-pattern="Remote Access Tools - T1219"] Outgoing URL https|3a|//sharingmymedia.com/files/1More-details.doc"; tls.sni; content:"sharingmymedia.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4125201; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/262;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e262 [tlp:white,misp-galaxy:mitre-enterprise-attack-attack-pattern="Remote Access Tools - T1219"] Outgoing URL https|3a|//sharingmymedia.com/files/Criteria-of-Army-Officers.doc"; tls.sni; content:"sharingmymedia.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4125211; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/262;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e262 [tlp:white,misp-galaxy:mitre-enterprise-attack-attack-pattern="Remote Access Tools - T1219"] Outgoing URL https|3a|//sharingmymedia.com/files/7All-Selected-list.xls"; tls.sni; content:"sharingmymedia.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4125221; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/262;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e262 [tlp:white,misp-galaxy:mitre-enterprise-attack-attack-pattern="Remote Access Tools - T1219"] Outgoing URL http|3a|//iiaonline.in/sasha.jpg"; flow:to_server,established; http.header; content:"iiaonline.in"; fast_pattern; nocase; http.uri; content:"/sasha.jpg"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4125231; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/262;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e262 [tlp:white,misp-galaxy:mitre-enterprise-attack-attack-pattern="Remote Access Tools - T1219"] Outgoing URL http|3a|//iiaonline.in/timon.jpeg"; flow:to_server,established; http.header; content:"iiaonline.in"; fast_pattern; nocase; http.uri; content:"/timon.jpeg"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4125241; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/262;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e262 [tlp:white,misp-galaxy:mitre-enterprise-attack-attack-pattern="Remote Access Tools - T1219"] Outgoing URL http|3a|//iiaonline.in/DefenceLogo/theta.bmp"; flow:to_server,established; http.header; content:"iiaonline.in"; fast_pattern; nocase; http.uri; content:"/DefenceLogo/theta.bmp"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4125251; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/262;) alert ip $HOME_NET any -> 139.60.160.200 any (msg: "MISP e263 [tlp:white,misp-galaxy:ransomware="LockBit",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486"] Outgoing To IP: 139.60.160.200"; classtype:trojan-activity; sid:4125831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/263;) alert ip $HOME_NET any -> 93.190.139.223 any (msg: "MISP e263 [tlp:white,misp-galaxy:ransomware="LockBit",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486"] Outgoing To IP: 93.190.139.223"; classtype:trojan-activity; sid:4125841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/263;) alert ip $HOME_NET any -> 45.227.255.190 any (msg: "MISP e263 [tlp:white,misp-galaxy:ransomware="LockBit",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486"] Outgoing To IP: 45.227.255.190"; classtype:trojan-activity; sid:4125851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/263;) alert ip $HOME_NET any -> 193.162.143.218 any (msg: "MISP e263 [tlp:white,misp-galaxy:ransomware="LockBit",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486"] Outgoing To IP: 193.162.143.218"; classtype:trojan-activity; sid:4125861; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/263;) alert ip $HOME_NET any -> 168.100.11.72 any (msg: "MISP e263 [tlp:white,misp-galaxy:ransomware="LockBit",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486"] Outgoing To IP: 168.100.11.72"; classtype:trojan-activity; sid:4125871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/263;) alert ip $HOME_NET any -> 93.190.143.101 any (msg: "MISP e263 [tlp:white,misp-galaxy:ransomware="LockBit",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486"] Outgoing To IP: 93.190.143.101"; classtype:trojan-activity; sid:4125881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/263;) alert ip $HOME_NET any -> 88.80.147.102 any (msg: "MISP e263 [tlp:white,misp-galaxy:ransomware="LockBit",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486"] Outgoing To IP: 88.80.147.102"; classtype:trojan-activity; sid:4125891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/263;) alert ip $HOME_NET any -> 193.38.235.234 any (msg: "MISP e263 [tlp:white,misp-galaxy:ransomware="LockBit",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486"] Outgoing To IP: 193.38.235.234"; classtype:trojan-activity; sid:4125901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/263;) alert ip $HOME_NET any -> 174.138.62.35 any (msg: "MISP e263 [tlp:white,misp-galaxy:ransomware="LockBit",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486"] Outgoing To IP: 174.138.62.35"; classtype:trojan-activity; sid:4125911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/263;) alert ip $HOME_NET any -> 185.215.113.39 any (msg: "MISP e263 [tlp:white,misp-galaxy:ransomware="LockBit",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486"] Outgoing To IP: 185.215.113.39"; classtype:trojan-activity; sid:4125921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/263;) alert ip $HOME_NET any -> 185.182.193.120 any (msg: "MISP e263 [tlp:white,misp-galaxy:ransomware="LockBit",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486"] Outgoing To IP: 185.182.193.120"; classtype:trojan-activity; sid:4125931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/263;) alert http $HOME_NET any -> 185.182.193.120 $HTTP_PORTS (msg: "MISP e263 [tlp:white,misp-galaxy:ransomware="LockBit",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486"] Outgoing URL http|3a|//185.182.193.120/06599379103BD9028AB56AE0EBED457D0"; flow:to_server,established; http.header; content:"185.182.193.120"; fast_pattern; nocase; http.uri; content:"/06599379103BD9028AB56AE0EBED457D0"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4125941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/263;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e264 [tlp:white] Source Email Address: chiragdin3@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"chiragdin3@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4126191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e264 [tlp:white] Source Email Address: loggerdata123@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"loggerdata123@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4126201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e264 [tlp:white] Source Email Address: maalhamara@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"maalhamara@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4126211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e264 [tlp:white] Source Email Address: maalhamara2@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"maalhamara2@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4126221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e264 [tlp:white] Source Email Address: nayaamaal1@yahoo.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"nayaamaal1@yahoo.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4126231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e264 [tlp:white] Source Email Address: nayaamaal122@yahoo.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"nayaamaal122@yahoo.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4126241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e264 [tlp:white] Source Email Address: nayaamaal2@yahoo.in"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"nayaamaal2@yahoo.in"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4126251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e264 [tlp:white] Source Email Address: nayaamaal4@yahoo.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"nayaamaal4@yahoo.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4126261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e264 [tlp:white] Source Email Address: newmaal@yahoo.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"newmaal@yahoo.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4126271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e264 [tlp:white] Source Email Address: shab03@indiatimes.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"shab03@indiatimes.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4126281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e264 [tlp:white] Source Email Address: tamizhviduthalai@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"tamizhviduthalai@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4126291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e264 [tlp:white] Source Email Address: tryluck222@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"tryluck222@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4126301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e264 [tlp:white] Source Email Address: volvoxyz123@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"volvoxyz123@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4126311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert dns any any -> any any (msg: "MISP e264 [tlp:white] Hostname pahiclisting.ddns.net"; dns.query; content:"pahiclisting.ddns.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])pahiclisting\.ddns\.net$/i"; classtype:trojan-activity; sid:4127601; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e264 [tlp:white] Outgoing HTTP Hostname pahiclisting.ddns.net"; flow:to_server,established; http.header; content: "Host|3a| pahiclisting.ddns.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])pahiclisting\.ddns\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4127602; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert dns any any -> any any (msg: "MISP e264 [tlp:white] Hostname bzone.no-ip.biz"; dns.query; content:"bzone.no-ip.biz"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bzone\.no\-ip\.biz$/i"; classtype:trojan-activity; sid:4127611; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e264 [tlp:white] Outgoing HTTP Hostname bzone.no-ip.biz"; flow:to_server,established; http.header; content: "Host|3a| bzone.no-ip.biz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bzone\.no\-ip\.biz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4127612; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert dns any any -> any any (msg: "MISP e264 [tlp:white] Hostname johnmarcus.zapto.org"; dns.query; content:"johnmarcus.zapto.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])johnmarcus\.zapto\.org$/i"; classtype:trojan-activity; sid:4127621; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e264 [tlp:white] Outgoing HTTP Hostname johnmarcus.zapto.org"; flow:to_server,established; http.header; content: "Host|3a| johnmarcus.zapto.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])johnmarcus\.zapto\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4127622; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert dns any any -> any any (msg: "MISP e264 [tlp:white] Hostname ramesh212121.zapto.org"; dns.query; content:"ramesh212121.zapto.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ramesh212121\.zapto\.org$/i"; classtype:trojan-activity; sid:4127631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e264 [tlp:white] Outgoing HTTP Hostname ramesh212121.zapto.org"; flow:to_server,established; http.header; content: "Host|3a| ramesh212121.zapto.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ramesh212121\.zapto\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4127632; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert dns any any -> any any (msg: "MISP e264 [tlp:white] Hostname atlaswebportal.zapto.org"; dns.query; content:"atlaswebportal.zapto.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])atlaswebportal\.zapto\.org$/i"; classtype:trojan-activity; sid:4127641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e264 [tlp:white] Outgoing HTTP Hostname atlaswebportal.zapto.org"; flow:to_server,established; http.header; content: "Host|3a| atlaswebportal.zapto.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])atlaswebportal\.zapto\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4127642; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert dns any any -> any any (msg: "MISP e264 [tlp:white] Hostname testingnew.no-ip.org"; dns.query; content:"testingnew.no-ip.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])testingnew\.no\-ip\.org$/i"; classtype:trojan-activity; sid:4127651; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e264 [tlp:white] Outgoing HTTP Hostname testingnew.no-ip.org"; flow:to_server,established; http.header; content: "Host|3a| testingnew.no-ip.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])testingnew\.no\-ip\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4127652; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert dns any any -> any any (msg: "MISP e264 [tlp:white] Hostname nepal3.msntv.org"; dns.query; content:"nepal3.msntv.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])nepal3\.msntv\.org$/i"; classtype:trojan-activity; sid:4127661; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e264 [tlp:white] Outgoing HTTP Hostname nepal3.msntv.org"; flow:to_server,established; http.header; content: "Host|3a| nepal3.msntv.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])nepal3\.msntv\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4127662; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert dns any any -> any any (msg: "MISP e264 [tlp:white] Hostname socialstatistics.zapto.org"; dns.query; content:"socialstatistics.zapto.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])socialstatistics\.zapto\.org$/i"; classtype:trojan-activity; sid:4127671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e264 [tlp:white] Outgoing HTTP Hostname socialstatistics.zapto.org"; flow:to_server,established; http.header; content: "Host|3a| socialstatistics.zapto.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])socialstatistics\.zapto\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4127672; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert dns any any -> any any (msg: "MISP e264 [tlp:white] Hostname socialstudies.zapto.org"; dns.query; content:"socialstudies.zapto.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])socialstudies\.zapto\.org$/i"; classtype:trojan-activity; sid:4127681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e264 [tlp:white] Outgoing HTTP Hostname socialstudies.zapto.org"; flow:to_server,established; http.header; content: "Host|3a| socialstudies.zapto.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])socialstudies\.zapto\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4127682; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert dns any any -> any any (msg: "MISP e264 [tlp:white] Domain gayakwaad.com"; dns.query; content:"gayakwaad.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])gayakwaad\.com$/i"; classtype:trojan-activity; sid:4127691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e264 [tlp:white] Outgoing HTTP Domain gayakwaad.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gayakwaad.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gayakwaad\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4127692; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert dns any any -> any any (msg: "MISP e264 [tlp:white] Hostname knudandersen.zapto.org"; dns.query; content:"knudandersen.zapto.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])knudandersen\.zapto\.org$/i"; classtype:trojan-activity; sid:4127701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e264 [tlp:white] Outgoing HTTP Hostname knudandersen.zapto.org"; flow:to_server,established; http.header; content: "Host|3a| knudandersen.zapto.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])knudandersen\.zapto\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4127702; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert dns any any -> any any (msg: "MISP e264 [tlp:white] Hostname jasonhistoryarticles.read-books.org"; dns.query; content:"jasonhistoryarticles.read-books.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])jasonhistoryarticles\.read\-books\.org$/i"; classtype:trojan-activity; sid:4127711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e264 [tlp:white] Outgoing HTTP Hostname jasonhistoryarticles.read-books.org"; flow:to_server,established; http.header; content: "Host|3a| jasonhistoryarticles.read-books.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])jasonhistoryarticles\.read\-books\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4127712; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert dns any any -> any any (msg: "MISP e264 [tlp:white] Hostname duniaenewsportal.ddns.net"; dns.query; content:"duniaenewsportal.ddns.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])duniaenewsportal\.ddns\.net$/i"; classtype:trojan-activity; sid:4127721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e264 [tlp:white] Outgoing HTTP Hostname duniaenewsportal.ddns.net"; flow:to_server,established; http.header; content: "Host|3a| duniaenewsportal.ddns.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])duniaenewsportal\.ddns\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4127722; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert dns any any -> any any (msg: "MISP e264 [tlp:white] Hostname vinaychutiya.no-ip.biz"; dns.query; content:"vinaychutiya.no-ip.biz"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])vinaychutiya\.no\-ip\.biz$/i"; classtype:trojan-activity; sid:4127731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e264 [tlp:white] Outgoing HTTP Hostname vinaychutiya.no-ip.biz"; flow:to_server,established; http.header; content: "Host|3a| vinaychutiya.no-ip.biz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])vinaychutiya\.no\-ip\.biz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4127732; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert dns any any -> any any (msg: "MISP e264 [tlp:white] Hostname researchplanet.zapto.org"; dns.query; content:"researchplanet.zapto.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])researchplanet\.zapto\.org$/i"; classtype:trojan-activity; sid:4127741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e264 [tlp:white] Outgoing HTTP Hostname researchplanet.zapto.org"; flow:to_server,established; http.header; content: "Host|3a| researchplanet.zapto.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])researchplanet\.zapto\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4127742; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert dns any any -> any any (msg: "MISP e264 [tlp:white] Domain greenpeacesite.com"; dns.query; content:"greenpeacesite.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])greenpeacesite\.com$/i"; classtype:trojan-activity; sid:4127751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e264 [tlp:white] Outgoing HTTP Domain greenpeacesite.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"greenpeacesite.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])greenpeacesite\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4127752; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert dns any any -> any any (msg: "MISP e264 [tlp:white] Domain new-agency.us"; dns.query; content:"new-agency.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])new\-agency\.us$/i"; classtype:trojan-activity; sid:4127761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e264 [tlp:white] Outgoing HTTP Domain new-agency.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"new-agency.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])new\-agency\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4127762; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert dns any any -> any any (msg: "MISP e264 [tlp:white] Domain chivalkarstone.com"; dns.query; content:"chivalkarstone.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])chivalkarstone\.com$/i"; classtype:trojan-activity; sid:4127771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e264 [tlp:white] Outgoing HTTP Domain chivalkarstone.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"chivalkarstone.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])chivalkarstone\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4127772; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert dns any any -> any any (msg: "MISP e264 [tlp:white] Domain newmms.ru"; dns.query; content:"newmms.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])newmms\.ru$/i"; classtype:trojan-activity; sid:4127781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e264 [tlp:white] Outgoing HTTP Domain newmms.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"newmms.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])newmms\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4127782; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/264;) alert ip $HOME_NET any -> 51.89.169.198 any (msg: "MISP e265 [tlp:white] Outgoing To IP: 51.89.169.198"; classtype:trojan-activity; sid:4127841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/265;) alert ip $HOME_NET any -> 142.44.251.77 any (msg: "MISP e265 [tlp:white] Outgoing To IP: 142.44.251.77"; classtype:trojan-activity; sid:4127851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/265;) alert ip $HOME_NET any -> 182.54.217.2 any (msg: "MISP e265 [tlp:white] Outgoing To IP: 182.54.217.2"; classtype:trojan-activity; sid:4127861; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/265;) alert ip $HOME_NET any -> 142.44.135.86 any (msg: "MISP e265 [tlp:white] Outgoing To IP: 142.44.135.86"; classtype:trojan-activity; sid:4127871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/265;) alert ip $HOME_NET any -> 51.89.190.128 any (msg: "MISP e265 [tlp:white] Outgoing To IP: 51.89.190.128"; classtype:trojan-activity; sid:4127881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/265;) alert ip $HOME_NET any -> 51.89.135.142 any (msg: "MISP e265 [tlp:white] Outgoing To IP: 51.89.135.142"; classtype:trojan-activity; sid:4127891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/265;) alert ip $HOME_NET any -> 51.89.178.210 any (msg: "MISP e265 [tlp:white] Outgoing To IP: 51.89.178.210"; classtype:trojan-activity; sid:4127901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/265;) alert dns any any -> any any (msg: "MISP e265 [tlp:white] Hostname www.service-management.tk"; dns.query; content:"www.service-management.tk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.service\-management\.tk$/i"; classtype:trojan-activity; sid:4127911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/265;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e265 [tlp:white] Outgoing HTTP Hostname www.service-management.tk"; flow:to_server,established; http.header; content: "Host|3a| www.service-management.tk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.service\-management\.tk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4127912; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/265;) alert dns any any -> any any (msg: "MISP e265 [tlp:white] Hostname www.microsoft-updateserver.cf"; dns.query; content:"www.microsoft-updateserver.cf"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.microsoft\-updateserver\.cf$/i"; classtype:trojan-activity; sid:4127921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/265;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e265 [tlp:white] Outgoing HTTP Hostname www.microsoft-updateserver.cf"; flow:to_server,established; http.header; content: "Host|3a| www.microsoft-updateserver.cf"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.microsoft\-updateserver\.cf[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4127922; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/265;) alert dns any any -> any any (msg: "MISP e266 [UNC1151,circl:incident-classification="phishing",tlp:white,HermeticWiper,misp-galaxy:target-information="Ukraine",misp-galaxy:mitre-attack-pattern="Data Destruction - T1485",misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1561.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484.001",misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490",misp-galaxy:mitre-attack-pattern="Signed Binary Proxy Execution - T1218"] Hostname i.ua-passport.space"; dns.query; content:"i.ua-passport.space"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])i\.ua\-passport\.space$/i"; classtype:trojan-activity; sid:4128711; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/266;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e266 [UNC1151,circl:incident-classification="phishing",tlp:white,HermeticWiper,misp-galaxy:target-information="Ukraine",misp-galaxy:mitre-attack-pattern="Data Destruction - T1485",misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1561.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484.001",misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490",misp-galaxy:mitre-attack-pattern="Signed Binary Proxy Execution - T1218"] Outgoing HTTP Hostname i.ua-passport.space"; flow:to_server,established; http.header; content: "Host|3a| i.ua-passport.space"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])i\.ua\-passport\.space[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4128712; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/266;) alert dns any any -> any any (msg: "MISP e266 [UNC1151,circl:incident-classification="phishing",tlp:white,HermeticWiper,misp-galaxy:target-information="Ukraine",misp-galaxy:mitre-attack-pattern="Data Destruction - T1485",misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1561.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484.001",misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490",misp-galaxy:mitre-attack-pattern="Signed Binary Proxy Execution - T1218"] Hostname id.bigmir.space"; dns.query; content:"id.bigmir.space"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])id\.bigmir\.space$/i"; classtype:trojan-activity; sid:4128721; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/266;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e266 [UNC1151,circl:incident-classification="phishing",tlp:white,HermeticWiper,misp-galaxy:target-information="Ukraine",misp-galaxy:mitre-attack-pattern="Data Destruction - T1485",misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1561.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484.001",misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490",misp-galaxy:mitre-attack-pattern="Signed Binary Proxy Execution - T1218"] Outgoing HTTP Hostname id.bigmir.space"; flow:to_server,established; http.header; content: "Host|3a| id.bigmir.space"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])id\.bigmir\.space[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4128722; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/266;) alert dns any any -> any any (msg: "MISP e266 [tlp:white,HermeticWiper,misp-galaxy:target-information="Ukraine",misp-galaxy:mitre-attack-pattern="Data Destruction - T1485",misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1561.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484.001",misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490",misp-galaxy:mitre-attack-pattern="Signed Binary Proxy Execution - T1218"] Hostname surname192.temp.swtest.ru"; dns.query; content:"surname192.temp.swtest.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])surname192\.temp\.swtest\.ru$/i"; classtype:trojan-activity; sid:4128791; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/266;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e266 [tlp:white,HermeticWiper,misp-galaxy:target-information="Ukraine",misp-galaxy:mitre-attack-pattern="Data Destruction - T1485",misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1561.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484.001",misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490",misp-galaxy:mitre-attack-pattern="Signed Binary Proxy Execution - T1218"] Outgoing HTTP Hostname surname192.temp.swtest.ru"; flow:to_server,established; http.header; content: "Host|3a| surname192.temp.swtest.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])surname192\.temp\.swtest\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4128792; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/266;) alert dns any any -> any any (msg: "MISP e266 [tlp:white,HermeticWiper,misp-galaxy:target-information="Ukraine",misp-galaxy:mitre-attack-pattern="Data Destruction - T1485",misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1561.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484.001",misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490",misp-galaxy:mitre-attack-pattern="Signed Binary Proxy Execution - T1218"] Hostname deer.dentist.coagula.online"; dns.query; content:"deer.dentist.coagula.online"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])deer\.dentist\.coagula\.online$/i"; classtype:trojan-activity; sid:4128801; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/266;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e266 [tlp:white,HermeticWiper,misp-galaxy:target-information="Ukraine",misp-galaxy:mitre-attack-pattern="Data Destruction - T1485",misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1561.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484.001",misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490",misp-galaxy:mitre-attack-pattern="Signed Binary Proxy Execution - T1218"] Outgoing HTTP Hostname deer.dentist.coagula.online"; flow:to_server,established; http.header; content: "Host|3a| deer.dentist.coagula.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])deer\.dentist\.coagula\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4128802; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/266;) alert dns any any -> any any (msg: "MISP e266 [tlp:white,HermeticWiper,misp-galaxy:target-information="Ukraine",misp-galaxy:mitre-attack-pattern="Data Destruction - T1485",misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1561.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484.001",misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490",misp-galaxy:mitre-attack-pattern="Signed Binary Proxy Execution - T1218"] Hostname declaration.deed.coagula.online"; dns.query; content:"declaration.deed.coagula.online"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])declaration\.deed\.coagula\.online$/i"; classtype:trojan-activity; sid:4128811; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/266;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e266 [tlp:white,HermeticWiper,misp-galaxy:target-information="Ukraine",misp-galaxy:mitre-attack-pattern="Data Destruction - T1485",misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1561.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484.001",misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490",misp-galaxy:mitre-attack-pattern="Signed Binary Proxy Execution - T1218"] Outgoing HTTP Hostname declaration.deed.coagula.online"; flow:to_server,established; http.header; content: "Host|3a| declaration.deed.coagula.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])declaration\.deed\.coagula\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4128812; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/266;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e266 [tlp:white,HermeticWiper,misp-galaxy:target-information="Ukraine",misp-galaxy:mitre-attack-pattern="Data Destruction - T1485",misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1561.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484.001",misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490",misp-galaxy:mitre-attack-pattern="Signed Binary Proxy Execution - T1218"] Outgoing URL http|3a|//surname192.temp.swtest.ru/prapor/su/ino.gif"; flow:to_server,established; http.header; content:"surname192.temp.swtest.ru"; fast_pattern; nocase; http.uri; content:"/prapor/su/ino.gif"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4128861; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/266;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e266 [tlp:white,HermeticWiper,misp-galaxy:target-information="Ukraine",misp-galaxy:mitre-attack-pattern="Data Destruction - T1485",misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1561.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484.001",misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490",misp-galaxy:mitre-attack-pattern="Signed Binary Proxy Execution - T1218"] Outgoing URL http|3a|//surname192.temp.swtest.ru/prapor/su/derg.gif"; flow:to_server,established; http.header; content:"surname192.temp.swtest.ru"; fast_pattern; nocase; http.uri; content:"/prapor/su/derg.gif"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4128871; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/266;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e266 [tlp:white,HermeticWiper,misp-galaxy:target-information="Ukraine",misp-galaxy:mitre-attack-pattern="Data Destruction - T1485",misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1561.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484.001",misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490",misp-galaxy:mitre-attack-pattern="Signed Binary Proxy Execution - T1218"] Outgoing URL http|3a|//surname192.temp.swtest.ru/prapor/su/flagua.gif"; flow:to_server,established; http.header; content:"surname192.temp.swtest.ru"; fast_pattern; nocase; http.uri; content:"/prapor/su/flagua.gif"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4128881; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/266;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e266 [tlp:white,HermeticWiper,misp-galaxy:target-information="Ukraine",misp-galaxy:mitre-attack-pattern="Data Destruction - T1485",misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1561.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484.001",misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490",misp-galaxy:mitre-attack-pattern="Signed Binary Proxy Execution - T1218"] Outgoing URL http|3a|//surname192.temp.swtest.ru/prapor/su/flages.gif"; flow:to_server,established; http.header; content:"surname192.temp.swtest.ru"; fast_pattern; nocase; http.uri; content:"/prapor/su/flages.gif"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4128891; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/266;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e266 [tlp:white,HermeticWiper,misp-galaxy:target-information="Ukraine",misp-galaxy:mitre-attack-pattern="Data Destruction - T1485",misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1561.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484.001",misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490",misp-galaxy:mitre-attack-pattern="Signed Binary Proxy Execution - T1218"] Outgoing URL 94.158.244.27/absolute.ace"; flow:to_server,established; http.uri; content:"94.158.244.27/absolute.ace"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4128901; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/266;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e266 [tlp:white,HermeticWiper,misp-galaxy:target-information="Ukraine",misp-galaxy:mitre-attack-pattern="Data Destruction - T1485",misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1561.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484.001",misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490",misp-galaxy:mitre-attack-pattern="Signed Binary Proxy Execution - T1218"] Outgoing URL 94.158.244.27/distant.cdr"; flow:to_server,established; http.uri; content:"94.158.244.27/distant.cdr"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4128911; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/266;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e266 [tlp:white,HermeticWiper,misp-galaxy:target-information="Ukraine",misp-galaxy:mitre-attack-pattern="Data Destruction - T1485",misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1561.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484.001",misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490",misp-galaxy:mitre-attack-pattern="Signed Binary Proxy Execution - T1218"] Outgoing URL http|3a|//kfctm.online/0102adqeczoL2.txt"; flow:to_server,established; http.header; content:"kfctm.online"; fast_pattern; nocase; http.uri; content:"/0102adqeczoL2.txt"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4129001; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/266;) alert dns any any -> any any (msg: "MISP e266 [tlp:white,HermeticWiper,misp-galaxy:target-information="Ukraine",misp-galaxy:mitre-attack-pattern="Data Destruction - T1485",misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1561.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484.001",misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490",misp-galaxy:mitre-attack-pattern="Signed Binary Proxy Execution - T1218"] Domain kfctm.online"; dns.query; content:"kfctm.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])kfctm\.online$/i"; classtype:trojan-activity; sid:4129011; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/266;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e266 [tlp:white,HermeticWiper,misp-galaxy:target-information="Ukraine",misp-galaxy:mitre-attack-pattern="Data Destruction - T1485",misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1561.002",misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484.001",misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490",misp-galaxy:mitre-attack-pattern="Signed Binary Proxy Execution - T1218"] Outgoing HTTP Domain kfctm.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kfctm.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kfctm\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4129012; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/266;) alert dns any any -> any any (msg: "MISP e267 [misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1032",misp-galaxy:mitre-attack-pattern="Scripting - T1064",misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1096",misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Domain carretilha.net"; dns.query; content:"carretilha.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])carretilha\.net$/i"; classtype:trojan-activity; sid:4129281; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/267;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e267 [misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1032",misp-galaxy:mitre-attack-pattern="Scripting - T1064",misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1096",misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Domain carretilha.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"carretilha.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])carretilha\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4129282; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/267;) alert dns any any -> any any (msg: "MISP e267 [misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1032",misp-galaxy:mitre-attack-pattern="Scripting - T1064",misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1096",misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Domain shrinandrajoverseas.com"; dns.query; content:"shrinandrajoverseas.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])shrinandrajoverseas\.com$/i"; classtype:trojan-activity; sid:4129311; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/267;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e267 [misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1032",misp-galaxy:mitre-attack-pattern="Scripting - T1064",misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1096",misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Domain shrinandrajoverseas.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"shrinandrajoverseas.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])shrinandrajoverseas\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4129312; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/267;) alert dns any any -> any any (msg: "MISP e267 [misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1032",misp-galaxy:mitre-attack-pattern="Scripting - T1064",misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1096",misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Domain zionimoveis.com.br"; dns.query; content:"zionimoveis.com.br"; nocase; pcre: "/(^|[^A-Za-z0-9-])zionimoveis\.com\.br$/i"; classtype:trojan-activity; sid:4129341; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/267;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e267 [misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1032",misp-galaxy:mitre-attack-pattern="Scripting - T1064",misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1096",misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Domain zionimoveis.com.br"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"zionimoveis.com.br"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])zionimoveis\.com\.br[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4129342; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/267;) alert ip $HOME_NET any -> 177.53.140.227 any (msg: "MISP e267 [misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1032",misp-galaxy:mitre-attack-pattern="Scripting - T1064",misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1096",misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing To IP: 177.53.140.227"; classtype:trojan-activity; sid:4129351; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/267;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e267 [misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1032",misp-galaxy:mitre-attack-pattern="Scripting - T1064",misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1096",misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Source Email Address: aline@mettaplanejados.com.br"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"aline@mettaplanejados.com.br"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4129901; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/267;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e267 [misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1032",misp-galaxy:mitre-attack-pattern="Scripting - T1064",misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1096",misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Source Email Address: aline@mettaplanejados.com.br"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"aline@mettaplanejados.com.br"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4129931; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/267;) alert http $HOME_NET any -> 103.179.143.132 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//103.179.143.132/56ce.php"; flow:to_server,established; http.header; content:"103.179.143.132"; fast_pattern; nocase; http.uri; content:"/56ce.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135361; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 13.58.70.215 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//13.58.70.215/gate.php"; flow:to_server,established; http.header; content:"13.58.70.215"; fast_pattern; nocase; http.uri; content:"/gate.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 13.58.70.215 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//13.58.70.215/request"; flow:to_server,established; http.header; content:"13.58.70.215"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135381; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 138.124.183.135 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//138.124.183.135/6CWYkiEnsS.php"; flow:to_server,established; http.header; content:"138.124.183.135"; fast_pattern; nocase; http.uri; content:"/6CWYkiEnsS.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135391; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 149.28.24.179 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//149.28.24.179/request"; flow:to_server,established; http.header; content:"149.28.24.179"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135401; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 157.90.241.140 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//157.90.241.140/request"; flow:to_server,established; http.header; content:"157.90.241.140"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 172.105.111.160 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//172.105.111.160/argo.php"; flow:to_server,established; http.header; content:"172.105.111.160"; fast_pattern; nocase; http.uri; content:"/argo.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 176.57.189.191 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//176.57.189.191/gate.php"; flow:to_server,established; http.header; content:"176.57.189.191"; fast_pattern; nocase; http.uri; content:"/gate.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135431; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 185.4.65.70 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//185.4.65.70/gaate.php"; flow:to_server,established; http.header; content:"185.4.65.70"; fast_pattern; nocase; http.uri; content:"/gaate.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 185.8.105.91 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//185.8.105.91/2FmVrGoI1K.php"; flow:to_server,established; http.header; content:"185.8.105.91"; fast_pattern; nocase; http.uri; content:"/2FmVrGoI1K.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 185.8.105.91 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//185.8.105.91/request"; flow:to_server,established; http.header; content:"185.8.105.91"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 188.166.181.15 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//188.166.181.15/mars/Moigate1.php"; flow:to_server,established; http.header; content:"188.166.181.15"; fast_pattern; nocase; http.uri; content:"/mars/Moigate1.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 192.227.158.57 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//192.227.158.57/request"; flow:to_server,established; http.header; content:"192.227.158.57"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135481; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 193.106.191.155 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//193.106.191.155/WYyJf5noB6.php"; flow:to_server,established; http.header; content:"193.106.191.155"; fast_pattern; nocase; http.uri; content:"/WYyJf5noB6.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135491; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 193.106.191.155 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//193.106.191.155/request"; flow:to_server,established; http.header; content:"193.106.191.155"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135501; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 193.106.191.172 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//193.106.191.172/request"; flow:to_server,established; http.header; content:"193.106.191.172"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135511; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 193.56.146.209 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//193.56.146.209/YwFWp4BxCH.php"; flow:to_server,established; http.header; content:"193.56.146.209"; fast_pattern; nocase; http.uri; content:"/YwFWp4BxCH.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135521; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 193.56.146.66 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//193.56.146.66/request"; flow:to_server,established; http.header; content:"193.56.146.66"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135531; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 193.56.146.66 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//193.56.146.66/tytfu656i7kuydgsjdsdu.php"; flow:to_server,established; http.header; content:"193.56.146.66"; fast_pattern; nocase; http.uri; content:"/tytfu656i7kuydgsjdsdu.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135541; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 194.233.168.238 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//194.233.168.238/hell.php"; flow:to_server,established; http.header; content:"194.233.168.238"; fast_pattern; nocase; http.uri; content:"/hell.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135551; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 194.233.168.238 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//194.233.168.238/request"; flow:to_server,established; http.header; content:"194.233.168.238"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135561; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 194.37.80.190 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//194.37.80.190/64gh64143rte.php"; flow:to_server,established; http.header; content:"194.37.80.190"; fast_pattern; nocase; http.uri; content:"/64gh64143rte.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135571; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 194.87.218.39 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//194.87.218.39/RyC66VfSGP.php"; flow:to_server,established; http.header; content:"194.87.218.39"; fast_pattern; nocase; http.uri; content:"/RyC66VfSGP.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135581; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 194.87.218.39 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//194.87.218.39/request"; flow:to_server,established; http.header; content:"194.87.218.39"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135591; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 195.2.84.171 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//195.2.84.171/sebapsiz.php"; flow:to_server,established; http.header; content:"195.2.84.171"; fast_pattern; nocase; http.uri; content:"/sebapsiz.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135601; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//195124.prohoster.biz/pool.php"; flow:to_server,established; http.header; content:"195124.prohoster.biz"; fast_pattern; nocase; http.uri; content:"/pool.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135611; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//1jngx5tb3a.cf/carlos.php"; flow:to_server,established; http.header; content:"1jngx5tb3a.cf"; fast_pattern; nocase; http.uri; content:"/carlos.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135621; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 20.185.186.224 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//20.185.186.224/mars/"; flow:to_server,established; http.header; content:"20.185.186.224"; fast_pattern; nocase; http.uri; content:"/mars/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 212.227.211.75 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//212.227.211.75/request"; flow:to_server,established; http.header; content:"212.227.211.75"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 217.114.43.28 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//217.114.43.28/gay.php"; flow:to_server,established; http.header; content:"217.114.43.28"; fast_pattern; nocase; http.uri; content:"/gay.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135651; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 23.239.9.184 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//23.239.9.184/request"; flow:to_server,established; http.header; content:"23.239.9.184"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135661; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 45.140.147.99 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//45.140.147.99/request"; flow:to_server,established; http.header; content:"45.140.147.99"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 45.67.230.47 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//45.67.230.47/request"; flow:to_server,established; http.header; content:"45.67.230.47"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 45.77.112.250 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//45.77.112.250/JpRVHxiq9z.php"; flow:to_server,established; http.header; content:"45.77.112.250"; fast_pattern; nocase; http.uri; content:"/JpRVHxiq9z.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 45.9.20.31 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//45.9.20.31/request"; flow:to_server,established; http.header; content:"45.9.20.31"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 5.181.80.130 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//5.181.80.130/0ReCKHEkYG.php"; flow:to_server,established; http.header; content:"5.181.80.130"; fast_pattern; nocase; http.uri; content:"/0ReCKHEkYG.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 5.45.84.214 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//5.45.84.214/request"; flow:to_server,established; http.header; content:"5.45.84.214"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 5.45.84.214 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//5.45.84.214/umO0HLhYp5.php"; flow:to_server,established; http.header; content:"5.45.84.214"; fast_pattern; nocase; http.uri; content:"/umO0HLhYp5.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 62.113.99.76 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//62.113.99.76/mygate.php"; flow:to_server,established; http.header; content:"62.113.99.76"; fast_pattern; nocase; http.uri; content:"/mygate.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 62.204.41.103 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//62.204.41.103/ozHwmSbcLG.php"; flow:to_server,established; http.header; content:"62.204.41.103"; fast_pattern; nocase; http.uri; content:"/ozHwmSbcLG.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 62.204.41.103 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//62.204.41.103/request"; flow:to_server,established; http.header; content:"62.204.41.103"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 62.204.41.128 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//62.204.41.128/request"; flow:to_server,established; http.header; content:"62.204.41.128"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 62.204.41.133 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//62.204.41.133/request"; flow:to_server,established; http.header; content:"62.204.41.133"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 62.204.41.179 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//62.204.41.179/game.php"; flow:to_server,established; http.header; content:"62.204.41.179"; fast_pattern; nocase; http.uri; content:"/game.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 62.204.41.179 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//62.204.41.179/gatorade.php"; flow:to_server,established; http.header; content:"62.204.41.179"; fast_pattern; nocase; http.uri; content:"/gatorade.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 62.204.41.179 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//62.204.41.179/request"; flow:to_server,established; http.header; content:"62.204.41.179"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 62.204.41.180 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//62.204.41.180/request"; flow:to_server,established; http.header; content:"62.204.41.180"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 62.204.41.193 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//62.204.41.193/request"; flow:to_server,established; http.header; content:"62.204.41.193"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 62.204.41.223 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//62.204.41.223/request"; flow:to_server,established; http.header; content:"62.204.41.223"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 62.204.41.69 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//62.204.41.69/request"; flow:to_server,established; http.header; content:"62.204.41.69"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 62.204.41.70 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//62.204.41.70/ZelkQca3gd.php"; flow:to_server,established; http.header; content:"62.204.41.70"; fast_pattern; nocase; http.uri; content:"/ZelkQca3gd.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135861; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 62.3.12.9 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//62.3.12.9/request"; flow:to_server,established; http.header; content:"62.3.12.9"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 65.108.50.253 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//65.108.50.253/request"; flow:to_server,established; http.header; content:"65.108.50.253"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 66.29.149.221 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//66.29.149.221/request"; flow:to_server,established; http.header; content:"66.29.149.221"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 78.142.18.157 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//78.142.18.157/Lkjhguiuytfghj.php"; flow:to_server,established; http.header; content:"78.142.18.157"; fast_pattern; nocase; http.uri; content:"/Lkjhguiuytfghj.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 80.79.114.182 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//80.79.114.182/1eW2mZPpfN.php"; flow:to_server,established; http.header; content:"80.79.114.182"; fast_pattern; nocase; http.uri; content:"/1eW2mZPpfN.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 82.221.141.233 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//82.221.141.233/hTA6yCkWZL.php"; flow:to_server,established; http.header; content:"82.221.141.233"; fast_pattern; nocase; http.uri; content:"/hTA6yCkWZL.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 84.252.73.229 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//84.252.73.229/mamik.php"; flow:to_server,established; http.header; content:"84.252.73.229"; fast_pattern; nocase; http.uri; content:"/mamik.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 85.208.185.13 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//85.208.185.13/kYhvOwlJLf.php"; flow:to_server,established; http.header; content:"85.208.185.13"; fast_pattern; nocase; http.uri; content:"/kYhvOwlJLf.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 85.209.90.53 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//85.209.90.53/request"; flow:to_server,established; http.header; content:"85.209.90.53"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 91.243.44.24 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//91.243.44.24/request"; flow:to_server,established; http.header; content:"91.243.44.24"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 92.255.85.78 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//92.255.85.78/eO18EPDxp6.php"; flow:to_server,established; http.header; content:"92.255.85.78"; fast_pattern; nocase; http.uri; content:"/eO18EPDxp6.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 92.255.85.78 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//92.255.85.78/request"; flow:to_server,established; http.header; content:"92.255.85.78"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 93.159.221.78 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//93.159.221.78/request"; flow:to_server,established; http.header; content:"93.159.221.78"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4135991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 93.174.93.178 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//93.174.93.178/eBhv4xpn8w.php"; flow:to_server,established; http.header; content:"93.174.93.178"; fast_pattern; nocase; http.uri; content:"/eBhv4xpn8w.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136001; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 93.174.93.178 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//93.174.93.178/request"; flow:to_server,established; http.header; content:"93.174.93.178"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> 95.216.165.190 $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//95.216.165.190/request"; flow:to_server,established; http.header; content:"95.216.165.190"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136021; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//a0625947.xsph.ru/AkehfbUFViehbfg.php"; flow:to_server,established; http.header; content:"a0625947.xsph.ru"; fast_pattern; nocase; http.uri; content:"/AkehfbUFViehbfg.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136031; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//a0626884.xsph.ru/mytestapp.php"; flow:to_server,established; http.header; content:"a0626884.xsph.ru"; fast_pattern; nocase; http.uri; content:"/mytestapp.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136041; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//a0634004.xsph.ru/kira.php"; flow:to_server,established; http.header; content:"a0634004.xsph.ru"; fast_pattern; nocase; http.uri; content:"/kira.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//anderd2w.beget.tech/gate.php"; flow:to_server,established; http.header; content:"anderd2w.beget.tech"; fast_pattern; nocase; http.uri; content:"/gate.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136061; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//bankkia.gq/gate.php"; flow:to_server,established; http.header; content:"bankkia.gq"; fast_pattern; nocase; http.uri; content:"/gate.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//banlobora2.temp.swtest.ru/gate.php"; flow:to_server,established; http.header; content:"banlobora2.temp.swtest.ru"; fast_pattern; nocase; http.uri; content:"/gate.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//blitzhost.ga/gate.php"; flow:to_server,established; http.header; content:"blitzhost.ga"; fast_pattern; nocase; http.uri; content:"/gate.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//blitzhost.tk/gate.php"; flow:to_server,established; http.header; content:"blitzhost.tk"; fast_pattern; nocase; http.uri; content:"/gate.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//bozkurtroot.dev/boz.php"; flow:to_server,established; http.header; content:"bozkurtroot.dev"; fast_pattern; nocase; http.uri; content:"/boz.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//ce18965.tmweb.ru/pyk.php"; flow:to_server,established; http.header; content:"ce18965.tmweb.ru"; fast_pattern; nocase; http.uri; content:"/pyk.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//cheapb.link/request"; flow:to_server,established; http.header; content:"cheapb.link"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//cheape.link/request"; flow:to_server,established; http.header; content:"cheape.link"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//cloud.setorinc.com/request"; flow:to_server,established; http.header; content:"cloud.setorinc.com"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//coin-file-file-19.com/request"; flow:to_server,established; http.header; content:"coin-file-file-19.com"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//coin-file-file-19.com/tratata.php"; flow:to_server,established; http.header; content:"coin-file-file-19.com"; fast_pattern; nocase; http.uri; content:"/tratata.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136171; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//dashgaa.ml/gate.php"; flow:to_server,established; http.header; content:"dashgaa.ml"; fast_pattern; nocase; http.uri; content:"/gate.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//eropovitalii.fvds.ru/gate.php"; flow:to_server,established; http.header; content:"eropovitalii.fvds.ru"; fast_pattern; nocase; http.uri; content:"/gate.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//f0575998.xsph.ru/mamont.php"; flow:to_server,established; http.header; content:"f0575998.xsph.ru"; fast_pattern; nocase; http.uri; content:"/mamont.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//f0623459.xsph.ru/gate.php"; flow:to_server,established; http.header; content:"f0623459.xsph.ru"; fast_pattern; nocase; http.uri; content:"/gate.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//f0645448.xsph.ru/freedom19.php"; flow:to_server,established; http.header; content:"f0645448.xsph.ru"; fast_pattern; nocase; http.uri; content:"/freedom19.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//file-file-host4.com/tratata.php"; flow:to_server,established; http.header; content:"file-file-host4.com"; fast_pattern; nocase; http.uri; content:"/tratata.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//files.000webhost.com/gate.php"; flow:to_server,established; http.header; content:"files.000webhost.com"; fast_pattern; nocase; http.uri; content:"/gate.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//homesteadr.link/ggate.php"; flow:to_server,established; http.header; content:"homesteadr.link"; fast_pattern; nocase; http.uri; content:"/ggate.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//jsdkcr.link/request"; flow:to_server,established; http.header; content:"jsdkcr.link"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//main2.flashysoft.me/signup.php"; flow:to_server,established; http.header; content:"main2.flashysoft.me"; fast_pattern; nocase; http.uri; content:"/signup.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//mainpagedir.xyz/RN7mXpmNoV.php"; flow:to_server,established; http.header; content:"mainpagedir.xyz"; fast_pattern; nocase; http.uri; content:"/RN7mXpmNoV.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//marssnami.000webhostapp.com/public_html/gate.php"; flow:to_server,established; http.header; content:"marssnami.000webhostapp.com"; fast_pattern; nocase; http.uri; content:"/public_html/gate.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//nationalspaceforceusaaainc.com/donsgate.php"; flow:to_server,established; http.header; content:"nationalspaceforceusaaainc.com"; fast_pattern; nocase; http.uri; content:"/donsgate.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//panel.computer/gate.php"; flow:to_server,established; http.header; content:"panel.computer"; fast_pattern; nocase; http.uri; content:"/gate.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//panelimeroc.com/gate.php"; flow:to_server,established; http.header; content:"panelimeroc.com"; fast_pattern; nocase; http.uri; content:"/gate.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//senatordev.com/gate.php"; flow:to_server,established; http.header; content:"senatordev.com"; fast_pattern; nocase; http.uri; content:"/gate.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136331; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//share.softwareshare.me/signup.php"; flow:to_server,established; http.header; content:"share.softwareshare.me"; fast_pattern; nocase; http.uri; content:"/signup.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136341; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//tafun.link/request"; flow:to_server,established; http.header; content:"tafun.link"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//test.akadns9.net/gate.php"; flow:to_server,established; http.header; content:"test.akadns9.net"; fast_pattern; nocase; http.uri; content:"/gate.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136361; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//tommytshop.com/KNOuG8qeID.php"; flow:to_server,established; http.header; content:"tommytshop.com"; fast_pattern; nocase; http.uri; content:"/KNOuG8qeID.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//tommytshop.com/request"; flow:to_server,established; http.header; content:"tommytshop.com"; fast_pattern; nocase; http.uri; content:"/request"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136381; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//traps.ml/fucktoy.php"; flow:to_server,established; http.header; content:"traps.ml"; fast_pattern; nocase; http.uri; content:"/fucktoy.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136391; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//x021x333awwww.com/gate.php"; flow:to_server,established; http.header; content:"x021x333awwww.com"; fast_pattern; nocase; http.uri; content:"/gate.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136401; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL http|3a|//zl3fh9x1.beget.tech/gate.php"; flow:to_server,established; http.header; content:"zl3fh9x1.beget.tech"; fast_pattern; nocase; http.uri; content:"/gate.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4136411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL https|3a|//computerprotect.me/request"; tls.sni; content:"computerprotect.me"; tag:session,600,seconds; classtype:trojan-activity; sid:4136421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL https|3a|//files.000webhost.com/gate.php"; tls.sni; content:"files.000webhost.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4136431; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL https|3a|//mainpagedir.xyz/RN7mXpmNoV.php"; tls.sni; content:"mainpagedir.xyz"; tag:session,600,seconds; classtype:trojan-activity; sid:4136441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e269 [tlp:white,informationstealer,misp-galaxy:malpedia="Arkei Stealer",misp-galaxy:malpedia="Oski Stealer",misp-galaxy:stealer="Vidar"] Outgoing URL https|3a|//panel.computer/panel/gate.php"; tls.sni; content:"panel.computer"; tag:session,600,seconds; classtype:trojan-activity; sid:4136451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/269;) alert dns any any -> any any (msg: "MISP e271 [tlp:white] Domain nnews.co"; dns.query; content:"nnews.co"; nocase; pcre: "/(^|[^A-Za-z0-9-])nnews\.co$/i"; classtype:trojan-activity; sid:4141841; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/271;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e271 [tlp:white] Outgoing HTTP Domain nnews.co"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nnews.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nnews\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4141842; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/271;) alert dns any any -> any any (msg: "MISP e271 [tlp:white] Domain statsads.co"; dns.query; content:"statsads.co"; nocase; pcre: "/(^|[^A-Za-z0-9-])statsads\.co$/i"; classtype:trojan-activity; sid:4141851; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/271;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e271 [tlp:white] Outgoing HTTP Domain statsads.co"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"statsads.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])statsads\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4141852; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/271;) alert dns any any -> any any (msg: "MISP e271 [tlp:white] Domain adsmetrics.co"; dns.query; content:"adsmetrics.co"; nocase; pcre: "/(^|[^A-Za-z0-9-])adsmetrics\.co$/i"; classtype:trojan-activity; sid:4141861; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/271;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e271 [tlp:white] Outgoing HTTP Domain adsmetrics.co"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"adsmetrics.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])adsmetrics\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4141862; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/271;) alert dns any any -> any any (msg: "MISP e271 [tlp:white] Domain redirstats.com"; dns.query; content:"redirstats.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])redirstats\.com$/i"; classtype:trojan-activity; sid:4141871; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/271;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e271 [tlp:white] Outgoing HTTP Domain redirstats.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"redirstats.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])redirstats\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4141872; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/271;) alert dns any any -> any any (msg: "MISP e271 [tlp:white] Hostname statsupplier.cominfoquiz.net"; dns.query; content:"statsupplier.cominfoquiz.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])statsupplier\.cominfoquiz\.net$/i"; classtype:trojan-activity; sid:4141881; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/271;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e271 [tlp:white] Outgoing HTTP Hostname statsupplier.cominfoquiz.net"; flow:to_server,established; http.header; content: "Host|3a| statsupplier.cominfoquiz.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])statsupplier\.cominfoquiz\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4141882; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/271;) alert dns any any -> any any (msg: "MISP e271 [tlp:white] Domain 123tramites.com"; dns.query; content:"123tramites.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])123tramites\.com$/i"; classtype:trojan-activity; sid:4141891; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/271;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e271 [tlp:white] Outgoing HTTP Domain 123tramites.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"123tramites.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])123tramites\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4141892; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/271;) alert ip $HOME_NET any -> 89.44.9.243 any (msg: "MISP e272 [tlp:white] Outgoing To IP: 89.44.9.243"; classtype:trojan-activity; sid:4142271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/272;) alert ip $HOME_NET any -> 37.120.238.58 any (msg: "MISP e272 [tlp:white] Outgoing To IP: 37.120.238.58"; classtype:trojan-activity; sid:4142281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/272;) alert ip $HOME_NET any -> 45.153.160.140 any (msg: "MISP e272 [tlp:white] Outgoing To IP: 45.153.160.140"; classtype:trojan-activity; sid:4142291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/272;) alert ip $HOME_NET any -> 142.234.157.246 any (msg: "MISP e272 [tlp:white] Outgoing To IP: 142.234.157.246"; classtype:trojan-activity; sid:4142301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/272;) alert ip $HOME_NET any -> 152.89.247.207 any (msg: "MISP e272 [tlp:white] Outgoing To IP: 152.89.247.207"; classtype:trojan-activity; sid:4142311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/272;) alert ip $HOME_NET any -> 23.106.223.97 any (msg: "MISP e272 [tlp:white] Outgoing To IP: 23.106.223.97"; classtype:trojan-activity; sid:4142321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/272;) alert ip $HOME_NET any -> 45.134.20.66 any (msg: "MISP e272 [tlp:white] Outgoing To IP: 45.134.20.66"; classtype:trojan-activity; sid:4142331; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/272;) alert ip $HOME_NET any -> 198.144.121.93 any (msg: "MISP e272 [tlp:white] Outgoing To IP: 198.144.121.93"; classtype:trojan-activity; sid:4142341; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/272;) alert ip $HOME_NET any -> 185.220.102.253 any (msg: "MISP e272 [tlp:white] Outgoing To IP: 185.220.102.253"; classtype:trojan-activity; sid:4142351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/272;) alert ip $HOME_NET any -> 89.163.252.230 any (msg: "MISP e272 [tlp:white] Outgoing To IP: 89.163.252.230"; classtype:trojan-activity; sid:4142361; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/272;) alert ip $HOME_NET any -> 146.0.77.15 any (msg: "MISP e272 [tlp:white] Outgoing To IP: 146.0.77.15"; classtype:trojan-activity; sid:4142371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/272;) alert ip $HOME_NET any -> 139.60.161.161 any (msg: "MISP e272 [tlp:white] Outgoing To IP: 139.60.161.161"; classtype:trojan-activity; sid:4142381; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/272;) alert ip $HOME_NET any -> 94.232.41.155 any (msg: "MISP e272 [tlp:white] Outgoing To IP: 94.232.41.155"; classtype:trojan-activity; sid:4142391; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/272;) alert dns any any -> any any (msg: "MISP e273 [misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Token Impersonation/Theft - T1134.001",misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003",misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Signed Binary Proxy Execution - T1218",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",tlp:white] Domain cdn181.awsdns-531.com"; dns.query; content:"cdn181.awsdns-531.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])cdn181\.awsdns\-531\.com$/i"; classtype:trojan-activity; sid:4142471; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/273;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e273 [misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002",misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140",misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Token Impersonation/Theft - T1134.001",misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003",misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005",misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001",misp-galaxy:mitre-attack-pattern="Signed Binary Proxy Execution - T1218",misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",tlp:white] Outgoing HTTP Domain cdn181.awsdns-531.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cdn181.awsdns-531.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cdn181\.awsdns\-531\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4142472; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/273;) alert dns any any -> any any (msg: "MISP e274 [misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005",misp-galaxy:mitre-intrusion-set="OilRig - G0049",tlp:white] Domain uber-asia.com"; dns.query; content:"uber-asia.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])uber\-asia\.com$/i"; classtype:trojan-activity; sid:4142781; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/274;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e274 [misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005",misp-galaxy:mitre-intrusion-set="OilRig - G0049",tlp:white] Outgoing HTTP Domain uber-asia.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uber-asia.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uber\-asia\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4142782; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/274;) alert dns any any -> any any (msg: "MISP e274 [misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005",misp-galaxy:mitre-intrusion-set="OilRig - G0049",tlp:white] Domain asiaworldremit.com"; dns.query; content:"asiaworldremit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])asiaworldremit\.com$/i"; classtype:trojan-activity; sid:4142791; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/274;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e274 [misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005",misp-galaxy:mitre-intrusion-set="OilRig - G0049",tlp:white] Outgoing HTTP Domain asiaworldremit.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"asiaworldremit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])asiaworldremit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4142792; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/274;) alert dns any any -> any any (msg: "MISP e274 [misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005",misp-galaxy:mitre-intrusion-set="OilRig - G0049",tlp:white] Domain joexpediagroup.com"; dns.query; content:"joexpediagroup.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])joexpediagroup\.com$/i"; classtype:trojan-activity; sid:4142801; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/274;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e274 [misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005",misp-galaxy:mitre-intrusion-set="OilRig - G0049",tlp:white] Outgoing HTTP Domain joexpediagroup.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"joexpediagroup.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])joexpediagroup\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4142802; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/274;) alert dns any any -> any any (msg: "MISP e275 [misp-galaxy:mitre-attack-pattern="Additional Cloud Credentials - T1098.001",misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071",misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002",misp-galaxy:mitre-attack-pattern="Compromise Infrastructure - T1584",misp-galaxy:mitre-attack-pattern="DCSync - T1003.006",misp-galaxy:mitre-attack-pattern="Email Collection - T1114",misp-galaxy:mitre-attack-pattern="Install Digital Certificate - T1608.003",misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004",misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572",misp-galaxy:mitre-attack-pattern="Query Registry - T1012",misp-galaxy:mitre-attack-pattern="Rc.common - T1037.004",misp-galaxy:mitre-attack-pattern="Remote Email Collection - T1114.002",misp-galaxy:mitre-attack-pattern="SSH - T1021.004",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016",misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049",misp-galaxy:mitre-attack-pattern="Two-Factor Authentication Interception - T1111",misp-galaxy:mitre-attack-pattern="Virtual Private Server - T1583.003",misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003",misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003",tlp:white] Domain cloudns.asia"; dns.query; content:"cloudns.asia"; nocase; pcre: "/(^|[^A-Za-z0-9-])cloudns\.asia$/i"; classtype:trojan-activity; sid:4142941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/275;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e275 [misp-galaxy:mitre-attack-pattern="Additional Cloud Credentials - T1098.001",misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071",misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002",misp-galaxy:mitre-attack-pattern="Compromise Infrastructure - T1584",misp-galaxy:mitre-attack-pattern="DCSync - T1003.006",misp-galaxy:mitre-attack-pattern="Email Collection - T1114",misp-galaxy:mitre-attack-pattern="Install Digital Certificate - T1608.003",misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004",misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572",misp-galaxy:mitre-attack-pattern="Query Registry - T1012",misp-galaxy:mitre-attack-pattern="Rc.common - T1037.004",misp-galaxy:mitre-attack-pattern="Remote Email Collection - T1114.002",misp-galaxy:mitre-attack-pattern="SSH - T1021.004",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016",misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049",misp-galaxy:mitre-attack-pattern="Two-Factor Authentication Interception - T1111",misp-galaxy:mitre-attack-pattern="Virtual Private Server - T1583.003",misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003",misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003",tlp:white] Outgoing HTTP Domain cloudns.asia"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cloudns.asia"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cloudns\.asia[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4142942; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/275;) alert dns any any -> any any (msg: "MISP e275 [misp-galaxy:mitre-attack-pattern="Additional Cloud Credentials - T1098.001",misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071",misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002",misp-galaxy:mitre-attack-pattern="Compromise Infrastructure - T1584",misp-galaxy:mitre-attack-pattern="DCSync - T1003.006",misp-galaxy:mitre-attack-pattern="Email Collection - T1114",misp-galaxy:mitre-attack-pattern="Install Digital Certificate - T1608.003",misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004",misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572",misp-galaxy:mitre-attack-pattern="Query Registry - T1012",misp-galaxy:mitre-attack-pattern="Rc.common - T1037.004",misp-galaxy:mitre-attack-pattern="Remote Email Collection - T1114.002",misp-galaxy:mitre-attack-pattern="SSH - T1021.004",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016",misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049",misp-galaxy:mitre-attack-pattern="Two-Factor Authentication Interception - T1111",misp-galaxy:mitre-attack-pattern="Virtual Private Server - T1583.003",misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003",misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003",tlp:white] Domain dynu.net"; dns.query; content:"dynu.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])dynu\.net$/i"; classtype:trojan-activity; sid:4142951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/275;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e275 [misp-galaxy:mitre-attack-pattern="Additional Cloud Credentials - T1098.001",misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071",misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002",misp-galaxy:mitre-attack-pattern="Compromise Infrastructure - T1584",misp-galaxy:mitre-attack-pattern="DCSync - T1003.006",misp-galaxy:mitre-attack-pattern="Email Collection - T1114",misp-galaxy:mitre-attack-pattern="Install Digital Certificate - T1608.003",misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004",misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572",misp-galaxy:mitre-attack-pattern="Query Registry - T1012",misp-galaxy:mitre-attack-pattern="Rc.common - T1037.004",misp-galaxy:mitre-attack-pattern="Remote Email Collection - T1114.002",misp-galaxy:mitre-attack-pattern="SSH - T1021.004",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016",misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049",misp-galaxy:mitre-attack-pattern="Two-Factor Authentication Interception - T1111",misp-galaxy:mitre-attack-pattern="Virtual Private Server - T1583.003",misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003",misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003",tlp:white] Outgoing HTTP Domain dynu.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dynu.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dynu\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4142952; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/275;) alert dns any any -> any any (msg: "MISP e275 [misp-galaxy:mitre-attack-pattern="Additional Cloud Credentials - T1098.001",misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071",misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002",misp-galaxy:mitre-attack-pattern="Compromise Infrastructure - T1584",misp-galaxy:mitre-attack-pattern="DCSync - T1003.006",misp-galaxy:mitre-attack-pattern="Email Collection - T1114",misp-galaxy:mitre-attack-pattern="Install Digital Certificate - T1608.003",misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004",misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572",misp-galaxy:mitre-attack-pattern="Query Registry - T1012",misp-galaxy:mitre-attack-pattern="Rc.common - T1037.004",misp-galaxy:mitre-attack-pattern="Remote Email Collection - T1114.002",misp-galaxy:mitre-attack-pattern="SSH - T1021.004",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016",misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049",misp-galaxy:mitre-attack-pattern="Two-Factor Authentication Interception - T1111",misp-galaxy:mitre-attack-pattern="Virtual Private Server - T1583.003",misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003",misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003",tlp:white] Domain mywire.org"; dns.query; content:"mywire.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])mywire\.org$/i"; classtype:trojan-activity; sid:4142961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/275;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e275 [misp-galaxy:mitre-attack-pattern="Additional Cloud Credentials - T1098.001",misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071",misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002",misp-galaxy:mitre-attack-pattern="Compromise Infrastructure - T1584",misp-galaxy:mitre-attack-pattern="DCSync - T1003.006",misp-galaxy:mitre-attack-pattern="Email Collection - T1114",misp-galaxy:mitre-attack-pattern="Install Digital Certificate - T1608.003",misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004",misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572",misp-galaxy:mitre-attack-pattern="Query Registry - T1012",misp-galaxy:mitre-attack-pattern="Rc.common - T1037.004",misp-galaxy:mitre-attack-pattern="Remote Email Collection - T1114.002",misp-galaxy:mitre-attack-pattern="SSH - T1021.004",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016",misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049",misp-galaxy:mitre-attack-pattern="Two-Factor Authentication Interception - T1111",misp-galaxy:mitre-attack-pattern="Virtual Private Server - T1583.003",misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003",misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003",tlp:white] Outgoing HTTP Domain mywire.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mywire.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mywire\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4142962; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/275;) alert dns any any -> any any (msg: "MISP e275 [misp-galaxy:mitre-attack-pattern="Additional Cloud Credentials - T1098.001",misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071",misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002",misp-galaxy:mitre-attack-pattern="Compromise Infrastructure - T1584",misp-galaxy:mitre-attack-pattern="DCSync - T1003.006",misp-galaxy:mitre-attack-pattern="Email Collection - T1114",misp-galaxy:mitre-attack-pattern="Install Digital Certificate - T1608.003",misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004",misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572",misp-galaxy:mitre-attack-pattern="Query Registry - T1012",misp-galaxy:mitre-attack-pattern="Rc.common - T1037.004",misp-galaxy:mitre-attack-pattern="Remote Email Collection - T1114.002",misp-galaxy:mitre-attack-pattern="SSH - T1021.004",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016",misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049",misp-galaxy:mitre-attack-pattern="Two-Factor Authentication Interception - T1111",misp-galaxy:mitre-attack-pattern="Virtual Private Server - T1583.003",misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003",misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003",tlp:white] Domain webredirect.org"; dns.query; content:"webredirect.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])webredirect\.org$/i"; classtype:trojan-activity; sid:4142971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/275;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e275 [misp-galaxy:mitre-attack-pattern="Additional Cloud Credentials - T1098.001",misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071",misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002",misp-galaxy:mitre-attack-pattern="Compromise Infrastructure - T1584",misp-galaxy:mitre-attack-pattern="DCSync - T1003.006",misp-galaxy:mitre-attack-pattern="Email Collection - T1114",misp-galaxy:mitre-attack-pattern="Install Digital Certificate - T1608.003",misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004",misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572",misp-galaxy:mitre-attack-pattern="Query Registry - T1012",misp-galaxy:mitre-attack-pattern="Rc.common - T1037.004",misp-galaxy:mitre-attack-pattern="Remote Email Collection - T1114.002",misp-galaxy:mitre-attack-pattern="SSH - T1021.004",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016",misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049",misp-galaxy:mitre-attack-pattern="Two-Factor Authentication Interception - T1111",misp-galaxy:mitre-attack-pattern="Virtual Private Server - T1583.003",misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003",misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003",tlp:white] Outgoing HTTP Domain webredirect.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"webredirect.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])webredirect\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4142972; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/275;) alert ip $HOME_NET any -> 104.255.174.58 any (msg: "MISP e277 [tlp:white] Outgoing To IP: 104.255.174.58"; classtype:trojan-activity; sid:4143201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/277;) alert ip $HOME_NET any -> 104.255.174.59 any (msg: "MISP e277 [tlp:white] Outgoing To IP: 104.255.174.59"; classtype:trojan-activity; sid:4143211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/277;) alert ip $HOME_NET any -> 104.255.174.60 any (msg: "MISP e277 [tlp:white] Outgoing To IP: 104.255.174.60"; classtype:trojan-activity; sid:4143221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/277;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e278 [tlp:white,circl:incident-classification="phishing"] Source Email Address: safehands@safehandsschool.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"safehands@safehandsschool.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4143241; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/278;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e278 [tlp:white,circl:incident-classification="phishing"] Source Email Address: safehands@safehandsschool.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"safehands@safehandsschool.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4143271; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/278;) alert dns any any -> any any (msg: "MISP e278 [tlp:white,circl:incident-classification="phishing"] Hostname 217-23-3-76.hosted-by-worldstream.net"; dns.query; content:"217-23-3-76.hosted-by-worldstream.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])217\-23\-3\-76\.hosted\-by\-worldstream\.net$/i"; classtype:trojan-activity; sid:4143281; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/278;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e278 [tlp:white,circl:incident-classification="phishing"] Outgoing HTTP Hostname 217-23-3-76.hosted-by-worldstream.net"; flow:to_server,established; http.header; content: "Host|3a| 217-23-3-76.hosted-by-worldstream.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])217\-23\-3\-76\.hosted\-by\-worldstream\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4143282; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/278;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Outgoing URL http|3a|//oppo-kz.custhelp.com"; flow:to_server,established; http.header; content:"oppo-kz.custhelp.com"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4143331; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert ip $HOME_NET any -> 45.148.30.122 58442 (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Outgoing To IP: 45.148.30.122|58442"; classtype:trojan-activity; sid:4143341; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert ip $HOME_NET any -> 85.159.27.61 8442 (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Outgoing To IP: 85.159.27.61|8442"; classtype:trojan-activity; sid:4143351; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert dns any any -> any any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Domain rojavanetwork.info"; dns.query; content:"rojavanetwork.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])rojavanetwork\.info$/i"; classtype:trojan-activity; sid:4143361; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Outgoing HTTP Domain rojavanetwork.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"rojavanetwork.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])rojavanetwork\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4143362; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert ip $HOME_NET any -> 93.51.226.53 any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Outgoing To IP: 93.51.226.53"; classtype:trojan-activity; sid:4143371; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert ip $HOME_NET any -> 2.229.68.182 8442 (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Outgoing To IP: 2.229.68.182|8442"; classtype:trojan-activity; sid:4143471; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert ip $HOME_NET any -> 2.228.150.86 8443 (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Outgoing To IP: 2.228.150.86|8443"; classtype:trojan-activity; sid:4143481; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert ip $HOME_NET any -> 93.57.84.78 8443 (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Outgoing To IP: 93.57.84.78|8443"; classtype:trojan-activity; sid:4143491; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert ip $HOME_NET any -> 93.39.197.234 8443 (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Outgoing To IP: 93.39.197.234|8443"; classtype:trojan-activity; sid:4143501; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert dns any any -> any any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Domain 119-tim.info"; dns.query; content:"119-tim.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])119\-tim\.info$/i"; classtype:trojan-activity; sid:4143511; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Outgoing HTTP Domain 119-tim.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"119-tim.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])119\-tim\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4143512; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert dns any any -> any any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Domain 133-tre.info"; dns.query; content:"133-tre.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])133\-tre\.info$/i"; classtype:trojan-activity; sid:4143521; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Outgoing HTTP Domain 133-tre.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"133-tre.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])133\-tre\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4143522; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert dns any any -> any any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Domain 146-fastweb.info"; dns.query; content:"146-fastweb.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])146\-fastweb\.info$/i"; classtype:trojan-activity; sid:4143531; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Outgoing HTTP Domain 146-fastweb.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"146-fastweb.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])146\-fastweb\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4143532; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert dns any any -> any any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Domain 155-wind.info"; dns.query; content:"155-wind.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])155\-wind\.info$/i"; classtype:trojan-activity; sid:4143541; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Outgoing HTTP Domain 155-wind.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"155-wind.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])155\-wind\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4143542; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert dns any any -> any any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Domain 159-windtre.info"; dns.query; content:"159-windtre.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])159\-windtre\.info$/i"; classtype:trojan-activity; sid:4143551; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Outgoing HTTP Domain 159-windtre.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"159-windtre.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])159\-windtre\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4143552; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert dns any any -> any any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Domain iliad.info"; dns.query; content:"iliad.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])iliad\.info$/i"; classtype:trojan-activity; sid:4143561; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Outgoing HTTP Domain iliad.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"iliad.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])iliad\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4143562; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert dns any any -> any any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Domain amex-co.info"; dns.query; content:"amex-co.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])amex\-co\.info$/i"; classtype:trojan-activity; sid:4143571; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Outgoing HTTP Domain amex-co.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"amex-co.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])amex\-co\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4143572; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert dns any any -> any any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Domain cloud-apple.info"; dns.query; content:"cloud-apple.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])cloud\-apple\.info$/i"; classtype:trojan-activity; sid:4143581; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Outgoing HTTP Domain cloud-apple.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cloud-apple.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cloud\-apple\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4143582; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert dns any any -> any any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Domain fb-techsupport.com"; dns.query; content:"fb-techsupport.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])fb\-techsupport\.com$/i"; classtype:trojan-activity; sid:4143591; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Outgoing HTTP Domain fb-techsupport.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fb-techsupport.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fb\-techsupport\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4143592; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert dns any any -> any any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Domain milf.house"; dns.query; content:"milf.house"; nocase; pcre: "/(^|[^A-Za-z0-9-])milf\.house$/i"; classtype:trojan-activity; sid:4143601; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Outgoing HTTP Domain milf.house"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"milf.house"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])milf\.house[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4143602; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert dns any any -> any any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Domain mobdemo.info"; dns.query; content:"mobdemo.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])mobdemo\.info$/i"; classtype:trojan-activity; sid:4143611; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Outgoing HTTP Domain mobdemo.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mobdemo.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mobdemo\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4143612; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert dns any any -> any any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Domain mobilepays.info"; dns.query; content:"mobilepays.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])mobilepays\.info$/i"; classtype:trojan-activity; sid:4143621; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Outgoing HTTP Domain mobilepays.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mobilepays.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mobilepays\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4143622; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert dns any any -> any any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Domain kena-mobile.info"; dns.query; content:"kena-mobile.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])kena\-mobile\.info$/i"; classtype:trojan-activity; sid:4143631; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Outgoing HTTP Domain kena-mobile.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kena-mobile.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kena\-mobile\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4143632; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert dns any any -> any any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Domain poste-it.info"; dns.query; content:"poste-it.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])poste\-it\.info$/i"; classtype:trojan-activity; sid:4143641; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Outgoing HTTP Domain poste-it.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"poste-it.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])poste\-it\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4143642; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert dns any any -> any any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Domain store-apple.info"; dns.query; content:"store-apple.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])store\-apple\.info$/i"; classtype:trojan-activity; sid:4143651; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Outgoing HTTP Domain store-apple.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"store-apple.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])store\-apple\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4143652; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert dns any any -> any any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Domain wind-h3g.info"; dns.query; content:"wind-h3g.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])wind\-h3g\.info$/i"; classtype:trojan-activity; sid:4143661; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e279 [misp-galaxy:country="kazakhstan",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573",tlp:white] Outgoing HTTP Domain wind-h3g.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wind-h3g.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wind\-h3g\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4143662; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/279;) alert dns any any -> any any (msg: "MISP e280 [misp-galaxy:threat-actor="Sofacy",misp-galaxy:target-information="Ukraine",tlp:white] Hostname www.specialityllc.com"; dns.query; content:"www.specialityllc.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.specialityllc\.com$/i"; classtype:trojan-activity; sid:4143701; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/280;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e280 [misp-galaxy:threat-actor="Sofacy",misp-galaxy:target-information="Ukraine",tlp:white] Outgoing HTTP Hostname www.specialityllc.com"; flow:to_server,established; http.header; content: "Host|3a| www.specialityllc.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.specialityllc\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4143702; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/280;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e280 [misp-galaxy:threat-actor="Sofacy",misp-galaxy:target-information="Ukraine",tlp:white] Outgoing URL http|3a|//kitten-268.frge.io/article.html"; flow:to_server,established; http.header; content:"kitten-268.frge.io"; fast_pattern; nocase; http.uri; content:"/article.html"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4143711; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/280;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e280 [misp-galaxy:threat-actor="Sofacy",misp-galaxy:target-information="Ukraine",tlp:white] Outgoing URL http|3a|//kompartpomiar.pl/grafika/SQLite.Interop.dll"; flow:to_server,established; http.header; content:"kompartpomiar.pl"; fast_pattern; nocase; http.uri; content:"/grafika/SQLite.Interop.dll"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4143851; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/280;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e280 [misp-galaxy:threat-actor="Sofacy",misp-galaxy:target-information="Ukraine",tlp:white] Outgoing URL http|3a|//kompartpomiar.pl/grafika/docx.exe"; flow:to_server,established; http.header; content:"kompartpomiar.pl"; fast_pattern; nocase; http.uri; content:"/grafika/docx.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4143861; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/280;) alert ip $HOME_NET any -> 162.241.216.236 any (msg: "MISP e280 [misp-galaxy:threat-actor="Sofacy",misp-galaxy:target-information="Ukraine",tlp:white] Outgoing To IP: 162.241.216.236"; classtype:trojan-activity; sid:4143871; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/280;) alert dns any any -> any any (msg: "MISP e280 [misp-galaxy:threat-actor="Sofacy",misp-galaxy:target-information="Ukraine",tlp:white] Hostname kitten-268.frge.io"; dns.query; content:"kitten-268.frge.io"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])kitten\-268\.frge\.io$/i"; classtype:trojan-activity; sid:4143881; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/280;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e280 [misp-galaxy:threat-actor="Sofacy",misp-galaxy:target-information="Ukraine",tlp:white] Outgoing HTTP Hostname kitten-268.frge.io"; flow:to_server,established; http.header; content: "Host|3a| kitten-268.frge.io"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])kitten\-268\.frge\.io[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4143882; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/280;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e280 [misp-galaxy:threat-actor="Sofacy",misp-galaxy:target-information="Ukraine",tlp:white] Source Email Address: seo@specialityllc.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"seo@specialityllc.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4143911; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/280;) alert dns any any -> any any (msg: "MISP e281 [tlp:white] Domain assets.fans"; dns.query; content:"assets.fans"; nocase; pcre: "/(^|[^A-Za-z0-9-])assets\.fans$/i"; classtype:trojan-activity; sid:4143931; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/281;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e281 [tlp:white] Outgoing HTTP Domain assets.fans"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"assets.fans"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])assets\.fans[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4143932; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/281;) alert dns any any -> any any (msg: "MISP e281 [tlp:white] Domain caixa.cx"; dns.query; content:"caixa.cx"; nocase; pcre: "/(^|[^A-Za-z0-9-])caixa\.cx$/i"; classtype:trojan-activity; sid:4143941; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/281;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e281 [tlp:white] Outgoing HTTP Domain caixa.cx"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"caixa.cx"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])caixa\.cx[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4143942; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/281;) alert dns any any -> any any (msg: "MISP e281 [tlp:white] Domain dpf.fm"; dns.query; content:"dpf.fm"; nocase; pcre: "/(^|[^A-Za-z0-9-])dpf\.fm$/i"; classtype:trojan-activity; sid:4143951; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/281;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e281 [tlp:white] Outgoing HTTP Domain dpf.fm"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dpf.fm"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dpf\.fm[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4143952; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/281;) alert dns any any -> any any (msg: "MISP e281 [tlp:white] Domain bancodobrasil.dev"; dns.query; content:"bancodobrasil.dev"; nocase; pcre: "/(^|[^A-Za-z0-9-])bancodobrasil\.dev$/i"; classtype:trojan-activity; sid:4143961; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/281;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e281 [tlp:white] Outgoing HTTP Domain bancodobrasil.dev"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bancodobrasil.dev"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bancodobrasil\.dev[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4143962; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/281;) alert dns any any -> any any (msg: "MISP e281 [tlp:white] Hostname webfirewall.caixa.wf"; dns.query; content:"webfirewall.caixa.wf"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])webfirewall\.caixa\.wf$/i"; classtype:trojan-activity; sid:4143971; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/281;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e281 [tlp:white] Outgoing HTTP Hostname webfirewall.caixa.wf"; flow:to_server,established; http.header; content: "Host|3a| webfirewall.caixa.wf"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])webfirewall\.caixa\.wf[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4143972; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/281;) alert dns any any -> any any (msg: "MISP e281 [tlp:white] Domain caixa.wf"; dns.query; content:"caixa.wf"; nocase; pcre: "/(^|[^A-Za-z0-9-])caixa\.wf$/i"; classtype:trojan-activity; sid:4143981; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/281;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e281 [tlp:white] Outgoing HTTP Domain caixa.wf"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"caixa.wf"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])caixa\.wf[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4143982; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/281;) alert ip $HOME_NET any -> 172.111.192.233 any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing To IP: 172.111.192.233"; classtype:trojan-activity; sid:4145661; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert ip $HOME_NET any -> 59.188.234.233 any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing To IP: 59.188.234.233"; classtype:trojan-activity; sid:4145671; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert ip $HOME_NET any -> 64.27.4.157 any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing To IP: 64.27.4.157"; classtype:trojan-activity; sid:4145681; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert ip $HOME_NET any -> 64.27.4.19 any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing To IP: 64.27.4.19"; classtype:trojan-activity; sid:4145691; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert ip $HOME_NET any -> 67.210.114.99 any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing To IP: 67.210.114.99"; classtype:trojan-activity; sid:4145701; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname back.satunusa.org"; dns.query; content:"back.satunusa.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])back\.satunusa\.org$/i"; classtype:trojan-activity; sid:4145731; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname back.satunusa.org"; flow:to_server,established; http.header; content: "Host|3a| back.satunusa.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])back\.satunusa\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4145732; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname baomoi.vnptnet.info"; dns.query; content:"baomoi.vnptnet.info"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])baomoi\.vnptnet\.info$/i"; classtype:trojan-activity; sid:4145741; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname baomoi.vnptnet.info"; flow:to_server,established; http.header; content: "Host|3a| baomoi.vnptnet.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])baomoi\.vnptnet\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4145742; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname bbw.fushing.org"; dns.query; content:"bbw.fushing.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bbw\.fushing\.org$/i"; classtype:trojan-activity; sid:4145751; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname bbw.fushing.org"; flow:to_server,established; http.header; content: "Host|3a| bbw.fushing.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bbw\.fushing\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4145752; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname bca.zdungk.com"; dns.query; content:"bca.zdungk.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bca\.zdungk\.com$/i"; classtype:trojan-activity; sid:4145761; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname bca.zdungk.com"; flow:to_server,established; http.header; content: "Host|3a| bca.zdungk.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bca\.zdungk\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4145762; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname bkav.manlish.net"; dns.query; content:"bkav.manlish.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bkav\.manlish\.net$/i"; classtype:trojan-activity; sid:4145771; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname bkav.manlish.net"; flow:to_server,established; http.header; content: "Host|3a| bkav.manlish.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bkav\.manlish\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4145772; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname bkav.welikejack.com"; dns.query; content:"bkav.welikejack.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bkav\.welikejack\.com$/i"; classtype:trojan-activity; sid:4145781; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname bkav.welikejack.com"; flow:to_server,established; http.header; content: "Host|3a| bkav.welikejack.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bkav\.welikejack\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4145782; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname bkavonline.vnptnet.info"; dns.query; content:"bkavonline.vnptnet.info"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bkavonline\.vnptnet\.info$/i"; classtype:trojan-activity; sid:4145791; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname bkavonline.vnptnet.info"; flow:to_server,established; http.header; content: "Host|3a| bkavonline.vnptnet.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bkavonline\.vnptnet\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4145792; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Domain bush2015.net"; dns.query; content:"bush2015.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])bush2015\.net$/i"; classtype:trojan-activity; sid:4145801; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Domain bush2015.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bush2015.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bush2015\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4145802; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname cl.weststations.com"; dns.query; content:"cl.weststations.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cl\.weststations\.com$/i"; classtype:trojan-activity; sid:4145811; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname cl.weststations.com"; flow:to_server,established; http.header; content: "Host|3a| cl.weststations.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cl\.weststations\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4145812; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Domain cloundvietnam.com"; dns.query; content:"cloundvietnam.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])cloundvietnam\.com$/i"; classtype:trojan-activity; sid:4145821; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Domain cloundvietnam.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cloundvietnam.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cloundvietnam\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4145822; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname dns.lioncity.top"; dns.query; content:"dns.lioncity.top"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dns\.lioncity\.top$/i"; classtype:trojan-activity; sid:4145831; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname dns.lioncity.top"; flow:to_server,established; http.header; content: "Host|3a| dns.lioncity.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dns\.lioncity\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4145832; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname dns.satunusa.org"; dns.query; content:"dns.satunusa.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dns\.satunusa\.org$/i"; classtype:trojan-activity; sid:4145841; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname dns.satunusa.org"; flow:to_server,established; http.header; content: "Host|3a| dns.satunusa.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dns\.satunusa\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4145842; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname dns.zdungk.com"; dns.query; content:"dns.zdungk.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dns\.zdungk\.com$/i"; classtype:trojan-activity; sid:4145851; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname dns.zdungk.com"; flow:to_server,established; http.header; content: "Host|3a| dns.zdungk.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dns\.zdungk\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4145852; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname ds.vdcvn.com"; dns.query; content:"ds.vdcvn.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ds\.vdcvn\.com$/i"; classtype:trojan-activity; sid:4145861; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname ds.vdcvn.com"; flow:to_server,established; http.header; content: "Host|3a| ds.vdcvn.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ds\.vdcvn\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4145862; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname ds.xrayccc.top"; dns.query; content:"ds.xrayccc.top"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ds\.xrayccc\.top$/i"; classtype:trojan-activity; sid:4145871; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname ds.xrayccc.top"; flow:to_server,established; http.header; content: "Host|3a| ds.xrayccc.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ds\.xrayccc\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4145872; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Domain facebookmap.top"; dns.query; content:"facebookmap.top"; nocase; pcre: "/(^|[^A-Za-z0-9-])facebookmap\.top$/i"; classtype:trojan-activity; sid:4145881; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Domain facebookmap.top"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"facebookmap.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])facebookmap\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4145882; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname fbcl2.adsoft.name"; dns.query; content:"fbcl2.adsoft.name"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])fbcl2\.adsoft\.name$/i"; classtype:trojan-activity; sid:4145891; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname fbcl2.adsoft.name"; flow:to_server,established; http.header; content: "Host|3a| fbcl2.adsoft.name"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])fbcl2\.adsoft\.name[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4145892; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname fbcl2.softad.net"; dns.query; content:"fbcl2.softad.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])fbcl2\.softad\.net$/i"; classtype:trojan-activity; sid:4145901; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname fbcl2.softad.net"; flow:to_server,established; http.header; content: "Host|3a| fbcl2.softad.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])fbcl2\.softad\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4145902; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname flower2.yyppmm.com"; dns.query; content:"flower2.yyppmm.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])flower2\.yyppmm\.com$/i"; classtype:trojan-activity; sid:4145911; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname flower2.yyppmm.com"; flow:to_server,established; http.header; content: "Host|3a| flower2.yyppmm.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])flower2\.yyppmm\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4145912; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname game.vietnamflash.com"; dns.query; content:"game.vietnamflash.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])game\.vietnamflash\.com$/i"; classtype:trojan-activity; sid:4145921; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname game.vietnamflash.com"; flow:to_server,established; http.header; content: "Host|3a| game.vietnamflash.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])game\.vietnamflash\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4145922; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname hello.bluesky1234.com"; dns.query; content:"hello.bluesky1234.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])hello\.bluesky1234\.com$/i"; classtype:trojan-activity; sid:4145931; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname hello.bluesky1234.com"; flow:to_server,established; http.header; content: "Host|3a| hello.bluesky1234.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])hello\.bluesky1234\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4145932; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname ipad.vnptnet.info"; dns.query; content:"ipad.vnptnet.info"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ipad\.vnptnet\.info$/i"; classtype:trojan-activity; sid:4145941; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname ipad.vnptnet.info"; flow:to_server,established; http.header; content: "Host|3a| ipad.vnptnet.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ipad\.vnptnet\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4145942; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname ks.manlish.net"; dns.query; content:"ks.manlish.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ks\.manlish\.net$/i"; classtype:trojan-activity; sid:4145951; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname ks.manlish.net"; flow:to_server,established; http.header; content: "Host|3a| ks.manlish.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ks\.manlish\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4145952; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname lepad.fushing.org"; dns.query; content:"lepad.fushing.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])lepad\.fushing\.org$/i"; classtype:trojan-activity; sid:4145961; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname lepad.fushing.org"; flow:to_server,established; http.header; content: "Host|3a| lepad.fushing.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])lepad\.fushing\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4145962; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname lllyyy.adsoft.name"; dns.query; content:"lllyyy.adsoft.name"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])lllyyy\.adsoft\.name$/i"; classtype:trojan-activity; sid:4145971; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname lllyyy.adsoft.name"; flow:to_server,established; http.header; content: "Host|3a| lllyyy.adsoft.name"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])lllyyy\.adsoft\.name[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4145972; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname lucky.manlish.net"; dns.query; content:"lucky.manlish.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])lucky\.manlish\.net$/i"; classtype:trojan-activity; sid:4145981; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname lucky.manlish.net"; flow:to_server,established; http.header; content: "Host|3a| lucky.manlish.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])lucky\.manlish\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4145982; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname ma550.adsoft.name"; dns.query; content:"ma550.adsoft.name"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ma550\.adsoft\.name$/i"; classtype:trojan-activity; sid:4145991; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname ma550.adsoft.name"; flow:to_server,established; http.header; content: "Host|3a| ma550.adsoft.name"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ma550\.adsoft\.name[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4145992; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname ma550.softad.net"; dns.query; content:"ma550.softad.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ma550\.softad\.net$/i"; classtype:trojan-activity; sid:4146001; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname ma550.softad.net"; flow:to_server,established; http.header; content: "Host|3a| ma550.softad.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ma550\.softad\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146002; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname mail.comnnet.net"; dns.query; content:"mail.comnnet.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.comnnet\.net$/i"; classtype:trojan-activity; sid:4146011; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname mail.comnnet.net"; flow:to_server,established; http.header; content: "Host|3a| mail.comnnet.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.comnnet\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146012; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname mail.tiger1234.com"; dns.query; content:"mail.tiger1234.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.tiger1234\.com$/i"; classtype:trojan-activity; sid:4146021; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname mail.tiger1234.com"; flow:to_server,established; http.header; content: "Host|3a| mail.tiger1234.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.tiger1234\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146022; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname mail.vdcvn.com"; dns.query; content:"mail.vdcvn.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.vdcvn\.com$/i"; classtype:trojan-activity; sid:4146031; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname mail.vdcvn.com"; flow:to_server,established; http.header; content: "Host|3a| mail.vdcvn.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.vdcvn\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146032; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname mass.longvn.net"; dns.query; content:"mass.longvn.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mass\.longvn\.net$/i"; classtype:trojan-activity; sid:4146041; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname mass.longvn.net"; flow:to_server,established; http.header; content: "Host|3a| mass.longvn.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mass\.longvn\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146042; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname mcafee.bluesky1234.com"; dns.query; content:"mcafee.bluesky1234.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mcafee\.bluesky1234\.com$/i"; classtype:trojan-activity; sid:4146051; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname mcafee.bluesky1234.com"; flow:to_server,established; http.header; content: "Host|3a| mcafee.bluesky1234.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mcafee\.bluesky1234\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146052; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname media.vietnamflash.com"; dns.query; content:"media.vietnamflash.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])media\.vietnamflash\.com$/i"; classtype:trojan-activity; sid:4146061; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname media.vietnamflash.com"; flow:to_server,established; http.header; content: "Host|3a| media.vietnamflash.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])media\.vietnamflash\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146062; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname mil.dungk.com"; dns.query; content:"mil.dungk.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mil\.dungk\.com$/i"; classtype:trojan-activity; sid:4146071; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname mil.dungk.com"; flow:to_server,established; http.header; content: "Host|3a| mil.dungk.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mil\.dungk\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146072; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname mil.zdungk.com"; dns.query; content:"mil.zdungk.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mil\.zdungk\.com$/i"; classtype:trojan-activity; sid:4146081; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname mil.zdungk.com"; flow:to_server,established; http.header; content: "Host|3a| mil.zdungk.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mil\.zdungk\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146082; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname mmchj2.telorg.net"; dns.query; content:"mmchj2.telorg.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mmchj2\.telorg\.net$/i"; classtype:trojan-activity; sid:4146091; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname mmchj2.telorg.net"; flow:to_server,established; http.header; content: "Host|3a| mmchj2.telorg.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mmchj2\.telorg\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146092; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname mmslsh.tiger1234.com"; dns.query; content:"mmslsh.tiger1234.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mmslsh\.tiger1234\.com$/i"; classtype:trojan-activity; sid:4146101; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname mmslsh.tiger1234.com"; flow:to_server,established; http.header; content: "Host|3a| mmslsh.tiger1234.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mmslsh\.tiger1234\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146102; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname mobile.vdcvn.com"; dns.query; content:"mobile.vdcvn.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mobile\.vdcvn\.com$/i"; classtype:trojan-activity; sid:4146111; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname mobile.vdcvn.com"; flow:to_server,established; http.header; content: "Host|3a| mobile.vdcvn.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mobile\.vdcvn\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146112; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname moit.longvn.net"; dns.query; content:"moit.longvn.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])moit\.longvn\.net$/i"; classtype:trojan-activity; sid:4146121; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname moit.longvn.net"; flow:to_server,established; http.header; content: "Host|3a| moit.longvn.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])moit\.longvn\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146122; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname movie.vdcvn.com"; dns.query; content:"movie.vdcvn.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])movie\.vdcvn\.com$/i"; classtype:trojan-activity; sid:4146131; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname movie.vdcvn.com"; flow:to_server,established; http.header; content: "Host|3a| movie.vdcvn.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])movie\.vdcvn\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146132; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname news.philstar2.com"; dns.query; content:"news.philstar2.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])news\.philstar2\.com$/i"; classtype:trojan-activity; sid:4146141; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname news.philstar2.com"; flow:to_server,established; http.header; content: "Host|3a| news.philstar2.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])news\.philstar2\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146142; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname news.welikejack.com"; dns.query; content:"news.welikejack.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])news\.welikejack\.com$/i"; classtype:trojan-activity; sid:4146151; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname news.welikejack.com"; flow:to_server,established; http.header; content: "Host|3a| news.welikejack.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])news\.welikejack\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146152; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname npt.vnptnet.info"; dns.query; content:"npt.vnptnet.info"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])npt\.vnptnet\.info$/i"; classtype:trojan-activity; sid:4146161; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname npt.vnptnet.info"; flow:to_server,established; http.header; content: "Host|3a| npt.vnptnet.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])npt\.vnptnet\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146162; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname ns.fushing.org"; dns.query; content:"ns.fushing.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ns\.fushing\.org$/i"; classtype:trojan-activity; sid:4146171; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname ns.fushing.org"; flow:to_server,established; http.header; content: "Host|3a| ns.fushing.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ns\.fushing\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146172; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname nycl.neverdropd.com"; dns.query; content:"nycl.neverdropd.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])nycl\.neverdropd\.com$/i"; classtype:trojan-activity; sid:4146181; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname nycl.neverdropd.com"; flow:to_server,established; http.header; content: "Host|3a| nycl.neverdropd.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])nycl\.neverdropd\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146182; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname phcl.followag.org"; dns.query; content:"phcl.followag.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])phcl\.followag\.org$/i"; classtype:trojan-activity; sid:4146191; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname phcl.followag.org"; flow:to_server,established; http.header; content: "Host|3a| phcl.followag.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])phcl\.followag\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146192; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname phcl.neverdropd.com"; dns.query; content:"phcl.neverdropd.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])phcl\.neverdropd\.com$/i"; classtype:trojan-activity; sid:4146201; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname phcl.neverdropd.com"; flow:to_server,established; http.header; content: "Host|3a| phcl.neverdropd.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])phcl\.neverdropd\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146202; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname pna.adsoft.name"; dns.query; content:"pna.adsoft.name"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])pna\.adsoft\.name$/i"; classtype:trojan-activity; sid:4146211; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname pna.adsoft.name"; flow:to_server,established; http.header; content: "Host|3a| pna.adsoft.name"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])pna\.adsoft\.name[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146212; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname pnavy3.neverdropd.com"; dns.query; content:"pnavy3.neverdropd.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])pnavy3\.neverdropd\.com$/i"; classtype:trojan-activity; sid:4146221; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname pnavy3.neverdropd.com"; flow:to_server,established; http.header; content: "Host|3a| pnavy3.neverdropd.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])pnavy3\.neverdropd\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146222; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname sky.bush2015.net"; dns.query; content:"sky.bush2015.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sky\.bush2015\.net$/i"; classtype:trojan-activity; sid:4146231; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname sky.bush2015.net"; flow:to_server,established; http.header; content: "Host|3a| sky.bush2015.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sky\.bush2015\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146232; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname sky.vietnamflash.com"; dns.query; content:"sky.vietnamflash.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sky\.vietnamflash\.com$/i"; classtype:trojan-activity; sid:4146241; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname sky.vietnamflash.com"; flow:to_server,established; http.header; content: "Host|3a| sky.vietnamflash.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sky\.vietnamflash\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146242; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname tcv.tiger1234.com"; dns.query; content:"tcv.tiger1234.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])tcv\.tiger1234\.com$/i"; classtype:trojan-activity; sid:4146251; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname tcv.tiger1234.com"; flow:to_server,established; http.header; content: "Host|3a| tcv.tiger1234.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])tcv\.tiger1234\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146252; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname telecom.longvn.net"; dns.query; content:"telecom.longvn.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])telecom\.longvn\.net$/i"; classtype:trojan-activity; sid:4146261; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname telecom.longvn.net"; flow:to_server,established; http.header; content: "Host|3a| telecom.longvn.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])telecom\.longvn\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146262; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname telecom.manlish.net"; dns.query; content:"telecom.manlish.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])telecom\.manlish\.net$/i"; classtype:trojan-activity; sid:4146271; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname telecom.manlish.net"; flow:to_server,established; http.header; content: "Host|3a| telecom.manlish.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])telecom\.manlish\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146272; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname th-y3.adsoft.name"; dns.query; content:"th-y3.adsoft.name"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])th\-y3\.adsoft\.name$/i"; classtype:trojan-activity; sid:4146281; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname th-y3.adsoft.name"; flow:to_server,established; http.header; content: "Host|3a| th-y3.adsoft.name"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])th\-y3\.adsoft\.name[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146282; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname th550.adsoft.name"; dns.query; content:"th550.adsoft.name"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])th550\.adsoft\.name$/i"; classtype:trojan-activity; sid:4146291; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname th550.adsoft.name"; flow:to_server,established; http.header; content: "Host|3a| th550.adsoft.name"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])th550\.adsoft\.name[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146292; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname th550.softad.net"; dns.query; content:"th550.softad.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])th550\.softad\.net$/i"; classtype:trojan-activity; sid:4146301; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname th550.softad.net"; flow:to_server,established; http.header; content: "Host|3a| th550.softad.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])th550\.softad\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146302; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname three.welikejack.com"; dns.query; content:"three.welikejack.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])three\.welikejack\.com$/i"; classtype:trojan-activity; sid:4146311; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname three.welikejack.com"; flow:to_server,established; http.header; content: "Host|3a| three.welikejack.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])three\.welikejack\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146312; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname thy3.softad.net"; dns.query; content:"thy3.softad.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])thy3\.softad\.net$/i"; classtype:trojan-activity; sid:4146321; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname thy3.softad.net"; flow:to_server,established; http.header; content: "Host|3a| thy3.softad.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])thy3\.softad\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146322; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Domain vdcvn.com"; dns.query; content:"vdcvn.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])vdcvn\.com$/i"; classtype:trojan-activity; sid:4146331; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Domain vdcvn.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vdcvn.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vdcvn\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146332; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname video.philstar2.com"; dns.query; content:"video.philstar2.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])video\.philstar2\.com$/i"; classtype:trojan-activity; sid:4146341; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname video.philstar2.com"; flow:to_server,established; http.header; content: "Host|3a| video.philstar2.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])video\.philstar2\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146342; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname viet.vnptnet.info"; dns.query; content:"viet.vnptnet.info"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])viet\.vnptnet\.info$/i"; classtype:trojan-activity; sid:4146351; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname viet.vnptnet.info"; flow:to_server,established; http.header; content: "Host|3a| viet.vnptnet.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])viet\.vnptnet\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146352; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname viet.zdungk.com"; dns.query; content:"viet.zdungk.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])viet\.zdungk\.com$/i"; classtype:trojan-activity; sid:4146361; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname viet.zdungk.com"; flow:to_server,established; http.header; content: "Host|3a| viet.zdungk.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])viet\.zdungk\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146362; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname vietnam.vnptnet.info"; dns.query; content:"vietnam.vnptnet.info"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])vietnam\.vnptnet\.info$/i"; classtype:trojan-activity; sid:4146371; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname vietnam.vnptnet.info"; flow:to_server,established; http.header; content: "Host|3a| vietnam.vnptnet.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])vietnam\.vnptnet\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146372; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Domain vietnamflash.com"; dns.query; content:"vietnamflash.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])vietnamflash\.com$/i"; classtype:trojan-activity; sid:4146381; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Domain vietnamflash.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vietnamflash.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vietnamflash\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146382; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname vnet.fushing.org"; dns.query; content:"vnet.fushing.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])vnet\.fushing\.org$/i"; classtype:trojan-activity; sid:4146391; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname vnet.fushing.org"; flow:to_server,established; http.header; content: "Host|3a| vnet.fushing.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])vnet\.fushing\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146392; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname vnn.bush2015.net"; dns.query; content:"vnn.bush2015.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])vnn\.bush2015\.net$/i"; classtype:trojan-activity; sid:4146401; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname vnn.bush2015.net"; flow:to_server,established; http.header; content: "Host|3a| vnn.bush2015.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])vnn\.bush2015\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146402; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname vnn.phung123.com"; dns.query; content:"vnn.phung123.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])vnn\.phung123\.com$/i"; classtype:trojan-activity; sid:4146411; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname vnn.phung123.com"; flow:to_server,established; http.header; content: "Host|3a| vnn.phung123.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])vnn\.phung123\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146412; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname webmail.philstar2.com"; dns.query; content:"webmail.philstar2.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])webmail\.philstar2\.com$/i"; classtype:trojan-activity; sid:4146421; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname webmail.philstar2.com"; flow:to_server,established; http.header; content: "Host|3a| webmail.philstar2.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])webmail\.philstar2\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146422; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname www.bush2015.net"; dns.query; content:"www.bush2015.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.bush2015\.net$/i"; classtype:trojan-activity; sid:4146431; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname www.bush2015.net"; flow:to_server,established; http.header; content: "Host|3a| www.bush2015.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.bush2015\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146432; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname yok.fushing.org"; dns.query; content:"yok.fushing.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])yok\.fushing\.org$/i"; classtype:trojan-activity; sid:4146441; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname yok.fushing.org"; flow:to_server,established; http.header; content: "Host|3a| yok.fushing.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])yok\.fushing\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146442; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname yote.dellyou.com"; dns.query; content:"yote.dellyou.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])yote\.dellyou\.com$/i"; classtype:trojan-activity; sid:4146451; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname yote.dellyou.com"; flow:to_server,established; http.header; content: "Host|3a| yote.dellyou.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])yote\.dellyou\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146452; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname zing.vietnamflash.com"; dns.query; content:"zing.vietnamflash.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])zing\.vietnamflash\.com$/i"; classtype:trojan-activity; sid:4146461; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname zing.vietnamflash.com"; flow:to_server,established; http.header; content: "Host|3a| zing.vietnamflash.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])zing\.vietnamflash\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146462; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname zingme.dungk.com"; dns.query; content:"zingme.dungk.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])zingme\.dungk\.com$/i"; classtype:trojan-activity; sid:4146471; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname zingme.dungk.com"; flow:to_server,established; http.header; content: "Host|3a| zingme.dungk.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])zingme\.dungk\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146472; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname zingme.longvn.net"; dns.query; content:"zingme.longvn.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])zingme\.longvn\.net$/i"; classtype:trojan-activity; sid:4146481; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname zingme.longvn.net"; flow:to_server,established; http.header; content: "Host|3a| zingme.longvn.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])zingme\.longvn\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146482; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname zw.dinhk.net"; dns.query; content:"zw.dinhk.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])zw\.dinhk\.net$/i"; classtype:trojan-activity; sid:4146491; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname zw.dinhk.net"; flow:to_server,established; http.header; content: "Host|3a| zw.dinhk.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])zw\.dinhk\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146492; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname zw.phung123.co"; dns.query; content:"zw.phung123.co"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])zw\.phung123\.co$/i"; classtype:trojan-activity; sid:4146501; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname zw.phung123.co"; flow:to_server,established; http.header; content: "Host|3a| zw.phung123.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])zw\.phung123\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146502; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert ip $HOME_NET any -> 45.77.11.148 any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing To IP: 45.77.11.148"; classtype:trojan-activity; sid:4146511; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname cvb.hotcup.pw"; dns.query; content:"cvb.hotcup.pw"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cvb\.hotcup\.pw$/i"; classtype:trojan-activity; sid:4146521; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname cvb.hotcup.pw"; flow:to_server,established; http.header; content: "Host|3a| cvb.hotcup.pw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cvb\.hotcup\.pw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146522; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname dns.foodforthought1.com"; dns.query; content:"dns.foodforthought1.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dns\.foodforthought1\.com$/i"; classtype:trojan-activity; sid:4146531; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname dns.foodforthought1.com"; flow:to_server,established; http.header; content: "Host|3a| dns.foodforthought1.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dns\.foodforthought1\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146532; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert dns any any -> any any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Hostname test.facebookmap.top"; dns.query; content:"test.facebookmap.top"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])test\.facebookmap\.top$/i"; classtype:trojan-activity; sid:4146541; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e282 [misp-galaxy:sector="Education",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Telecoms",misp-galaxy:country="australia",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="Data Encoding - T1132",misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001",misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Services - T1569",misp-galaxy:mitre-attack-pattern="User Execution - T1204",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-enterprise-attack-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-enterprise-attack-attack-pattern="Process Injection - T1055",tlp:white] Outgoing HTTP Hostname test.facebookmap.top"; flow:to_server,established; http.header; content: "Host|3a| test.facebookmap.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])test\.facebookmap\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4146542; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/282;) alert ip $HOME_NET any -> 192.95.20.8 any (msg: "MISP e284 [tlp:white] Outgoing To IP: 192.95.20.8"; classtype:trojan-activity; sid:4147541; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/284;) alert ip $HOME_NET any -> 185.136.163.104 any (msg: "MISP e285 [tlp:white] Outgoing To IP: 185.136.163.104"; classtype:trojan-activity; sid:4148691; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/285;) alert ip $HOME_NET any -> 134.119.177.107 any (msg: "MISP e285 [tlp:white] Outgoing To IP: 134.119.177.107"; classtype:trojan-activity; sid:4148701; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/285;) alert ip $HOME_NET any -> 162.245.190.203 any (msg: "MISP e285 [tlp:white] Outgoing To IP: 162.245.190.203"; classtype:trojan-activity; sid:4148711; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/285;) alert ip $HOME_NET any -> 155.94.211.207 any (msg: "MISP e285 [tlp:white] Outgoing To IP: 155.94.211.207"; classtype:trojan-activity; sid:4148721; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/285;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain travinfor.com"; dns.query; content:"travinfor.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])travinfor\.com$/i"; classtype:trojan-activity; sid:4151981; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain travinfor.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"travinfor.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])travinfor\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4151982; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain webinfors.com"; dns.query; content:"webinfors.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])webinfors\.com$/i"; classtype:trojan-activity; sid:4151991; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain webinfors.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"webinfors.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])webinfors\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4151992; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain khnga.com"; dns.query; content:"khnga.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])khnga\.com$/i"; classtype:trojan-activity; sid:4152001; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain khnga.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"khnga.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])khnga\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152002; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain netwebsoc.com"; dns.query; content:"netwebsoc.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])netwebsoc\.com$/i"; classtype:trojan-activity; sid:4152011; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain netwebsoc.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"netwebsoc.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])netwebsoc\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152012; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain infcloudnet.com"; dns.query; content:"infcloudnet.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])infcloudnet\.com$/i"; classtype:trojan-activity; sid:4152021; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain infcloudnet.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"infcloudnet.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])infcloudnet\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152022; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain bgamifieder.com"; dns.query; content:"bgamifieder.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bgamifieder\.com$/i"; classtype:trojan-activity; sid:4152031; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain bgamifieder.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bgamifieder.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bgamifieder\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152032; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain bunflun.com"; dns.query; content:"bunflun.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bunflun\.com$/i"; classtype:trojan-activity; sid:4152041; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain bunflun.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bunflun.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bunflun\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152042; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain refinance-ltd.com"; dns.query; content:"refinance-ltd.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])refinance\-ltd\.com$/i"; classtype:trojan-activity; sid:4152051; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain refinance-ltd.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"refinance-ltd.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])refinance\-ltd\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152052; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain book-advp.com"; dns.query; content:"book-advp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])book\-advp\.com$/i"; classtype:trojan-activity; sid:4152061; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain book-advp.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"book-advp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])book\-advp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152062; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain mailservice-ns.com"; dns.query; content:"mailservice-ns.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mailservice\-ns\.com$/i"; classtype:trojan-activity; sid:4152071; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain mailservice-ns.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mailservice-ns.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mailservice\-ns\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152072; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain advertbart.com"; dns.query; content:"advertbart.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])advertbart\.com$/i"; classtype:trojan-activity; sid:4152081; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain advertbart.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"advertbart.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])advertbart\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152082; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain inetp-service.com"; dns.query; content:"inetp-service.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])inetp\-service\.com$/i"; classtype:trojan-activity; sid:4152091; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain inetp-service.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"inetp-service.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])inetp\-service\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152092; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain yomangaw.com"; dns.query; content:"yomangaw.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])yomangaw\.com$/i"; classtype:trojan-activity; sid:4152101; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain yomangaw.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"yomangaw.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])yomangaw\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152102; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain covdd.org"; dns.query; content:"covdd.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])covdd\.org$/i"; classtype:trojan-activity; sid:4152111; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain covdd.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"covdd.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])covdd\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152112; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain visitaustriaislands.com"; dns.query; content:"visitaustriaislands.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])visitaustriaislands\.com$/i"; classtype:trojan-activity; sid:4152121; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain visitaustriaislands.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"visitaustriaislands.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])visitaustriaislands\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152122; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain traveladvnow.com"; dns.query; content:"traveladvnow.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])traveladvnow\.com$/i"; classtype:trojan-activity; sid:4152131; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain traveladvnow.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"traveladvnow.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])traveladvnow\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152132; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain tripadvit.com"; dns.query; content:"tripadvit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])tripadvit\.com$/i"; classtype:trojan-activity; sid:4152141; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain tripadvit.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tripadvit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tripadvit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152142; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain moreofestonia.com"; dns.query; content:"moreofestonia.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])moreofestonia\.com$/i"; classtype:trojan-activity; sid:4152151; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain moreofestonia.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"moreofestonia.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])moreofestonia\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152152; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain moretraveladv.com"; dns.query; content:"moretraveladv.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])moretraveladv\.com$/i"; classtype:trojan-activity; sid:4152161; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain moretraveladv.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"moretraveladv.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])moretraveladv\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152162; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain estoniaforall.com"; dns.query; content:"estoniaforall.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])estoniaforall\.com$/i"; classtype:trojan-activity; sid:4152171; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain estoniaforall.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"estoniaforall.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])estoniaforall\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152172; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain bookingitnow.org"; dns.query; content:"bookingitnow.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])bookingitnow\.org$/i"; classtype:trojan-activity; sid:4152181; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain bookingitnow.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bookingitnow.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bookingitnow\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152182; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain travelbooknow.org"; dns.query; content:"travelbooknow.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])travelbooknow\.org$/i"; classtype:trojan-activity; sid:4152191; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain travelbooknow.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"travelbooknow.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])travelbooknow\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152192; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain bookaustriavisit.com"; dns.query; content:"bookaustriavisit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bookaustriavisit\.com$/i"; classtype:trojan-activity; sid:4152201; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain bookaustriavisit.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bookaustriavisit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bookaustriavisit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152202; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain windnetap.com"; dns.query; content:"windnetap.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])windnetap\.com$/i"; classtype:trojan-activity; sid:4152211; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain windnetap.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"windnetap.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])windnetap\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152212; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain roblexmeet.com"; dns.query; content:"roblexmeet.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])roblexmeet\.com$/i"; classtype:trojan-activity; sid:4152221; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain roblexmeet.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"roblexmeet.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])roblexmeet\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152222; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain netrcmapi.com"; dns.query; content:"netrcmapi.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])netrcmapi\.com$/i"; classtype:trojan-activity; sid:4152231; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain netrcmapi.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"netrcmapi.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])netrcmapi\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152232; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain meetomoves.com"; dns.query; content:"meetomoves.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])meetomoves\.com$/i"; classtype:trojan-activity; sid:4152241; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain meetomoves.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"meetomoves.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])meetomoves\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152242; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain bingapianalytics.com"; dns.query; content:"bingapianalytics.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bingapianalytics\.com$/i"; classtype:trojan-activity; sid:4152251; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain bingapianalytics.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bingapianalytics.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bingapianalytics\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152252; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain azuredcloud.com"; dns.query; content:"azuredcloud.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])azuredcloud\.com$/i"; classtype:trojan-activity; sid:4152261; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain azuredcloud.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"azuredcloud.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])azuredcloud\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152262; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain appdllsvc.com"; dns.query; content:"appdllsvc.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])appdllsvc\.com$/i"; classtype:trojan-activity; sid:4152271; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain appdllsvc.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"appdllsvc.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])appdllsvc\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152272; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain udporm.com"; dns.query; content:"udporm.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])udporm\.com$/i"; classtype:trojan-activity; sid:4152281; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain udporm.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"udporm.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])udporm\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152282; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain pcamanalytics.com"; dns.query; content:"pcamanalytics.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pcamanalytics\.com$/i"; classtype:trojan-activity; sid:4152291; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain pcamanalytics.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pcamanalytics.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pcamanalytics\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152292; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain nortonalytics.com"; dns.query; content:"nortonalytics.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])nortonalytics\.com$/i"; classtype:trojan-activity; sid:4152301; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain nortonalytics.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nortonalytics.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nortonalytics\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152302; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain deltacldll.com"; dns.query; content:"deltacldll.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])deltacldll\.com$/i"; classtype:trojan-activity; sid:4152311; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain deltacldll.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"deltacldll.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])deltacldll\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152312; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain mscloudin.com"; dns.query; content:"mscloudin.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mscloudin\.com$/i"; classtype:trojan-activity; sid:4152321; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain mscloudin.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mscloudin.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mscloudin\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152322; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Domain msdllopt.com"; dns.query; content:"msdllopt.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])msdllopt\.com$/i"; classtype:trojan-activity; sid:4152331; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e286 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:sector="Finance",misp-galaxy:sector="Technology",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-intrusion-set="Evilnum - G0120",tlp:white] Outgoing HTTP Domain msdllopt.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"msdllopt.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])msdllopt\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4152332; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/286;) alert dns any any -> any any (msg: "MISP e288 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:threat-actor="TA428",misp-galaxy:malpedia="nccTrojan",misp-galaxy:malpedia="Cotx RAT",misp-galaxy:mitre-tool="NBTscan - S0590",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:sector="Defense",misp-galaxy:sector="Government, Administration",tlp:white,dhs-ciip-sectors:DHS-critical-sectors="government-facilities"] Hostname www1.nppnavigator.net"; dns.query; content:"www1.nppnavigator.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www1\.nppnavigator\.net$/i"; classtype:trojan-activity; sid:4154231; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/288;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e288 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:threat-actor="TA428",misp-galaxy:malpedia="nccTrojan",misp-galaxy:malpedia="Cotx RAT",misp-galaxy:mitre-tool="NBTscan - S0590",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:sector="Defense",misp-galaxy:sector="Government, Administration",tlp:white,dhs-ciip-sectors:DHS-critical-sectors="government-facilities"] Outgoing HTTP Hostname www1.nppnavigator.net"; flow:to_server,established; http.header; content: "Host|3a| www1.nppnavigator.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www1\.nppnavigator\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4154232; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/288;) alert dns any any -> any any (msg: "MISP e288 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:threat-actor="TA428",misp-galaxy:malpedia="nccTrojan",misp-galaxy:malpedia="Cotx RAT",misp-galaxy:mitre-tool="NBTscan - S0590",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:sector="Defense",misp-galaxy:sector="Government, Administration",tlp:white,dhs-ciip-sectors:DHS-critical-sectors="government-facilities"] Hostname www3.vpkimplus.com"; dns.query; content:"www3.vpkimplus.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www3\.vpkimplus\.com$/i"; classtype:trojan-activity; sid:4154241; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/288;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e288 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:threat-actor="TA428",misp-galaxy:malpedia="nccTrojan",misp-galaxy:malpedia="Cotx RAT",misp-galaxy:mitre-tool="NBTscan - S0590",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:sector="Defense",misp-galaxy:sector="Government, Administration",tlp:white,dhs-ciip-sectors:DHS-critical-sectors="government-facilities"] Outgoing HTTP Hostname www3.vpkimplus.com"; flow:to_server,established; http.header; content: "Host|3a| www3.vpkimplus.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www3\.vpkimplus\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4154242; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/288;) alert ip $HOME_NET any -> 45.151.180.178 any (msg: "MISP e288 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:threat-actor="TA428",misp-galaxy:malpedia="nccTrojan",misp-galaxy:malpedia="Cotx RAT",misp-galaxy:mitre-tool="NBTscan - S0590",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:sector="Defense",misp-galaxy:sector="Government, Administration",tlp:white,dhs-ciip-sectors:DHS-critical-sectors="government-facilities"] Outgoing To IP: 45.151.180.178"; classtype:trojan-activity; sid:4154251; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/288;) alert dns any any -> any any (msg: "MISP e288 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:threat-actor="TA428",misp-galaxy:malpedia="nccTrojan",misp-galaxy:malpedia="Cotx RAT",misp-galaxy:mitre-tool="NBTscan - S0590",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:sector="Defense",misp-galaxy:sector="Government, Administration",tlp:white,dhs-ciip-sectors:DHS-critical-sectors="government-facilities"] Hostname custom.songuulcomiss.com"; dns.query; content:"custom.songuulcomiss.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])custom\.songuulcomiss\.com$/i"; classtype:trojan-activity; sid:4154261; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/288;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e288 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:threat-actor="TA428",misp-galaxy:malpedia="nccTrojan",misp-galaxy:malpedia="Cotx RAT",misp-galaxy:mitre-tool="NBTscan - S0590",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:sector="Defense",misp-galaxy:sector="Government, Administration",tlp:white,dhs-ciip-sectors:DHS-critical-sectors="government-facilities"] Outgoing HTTP Hostname custom.songuulcomiss.com"; flow:to_server,established; http.header; content: "Host|3a| custom.songuulcomiss.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])custom\.songuulcomiss\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4154262; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/288;) alert dns any any -> any any (msg: "MISP e288 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:threat-actor="TA428",misp-galaxy:malpedia="nccTrojan",misp-galaxy:malpedia="Cotx RAT",misp-galaxy:mitre-tool="NBTscan - S0590",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:sector="Defense",misp-galaxy:sector="Government, Administration",tlp:white,dhs-ciip-sectors:DHS-critical-sectors="government-facilities"] Hostname tech.songuulcomiss.com"; dns.query; content:"tech.songuulcomiss.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])tech\.songuulcomiss\.com$/i"; classtype:trojan-activity; sid:4154271; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/288;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e288 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:threat-actor="TA428",misp-galaxy:malpedia="nccTrojan",misp-galaxy:malpedia="Cotx RAT",misp-galaxy:mitre-tool="NBTscan - S0590",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:sector="Defense",misp-galaxy:sector="Government, Administration",tlp:white,dhs-ciip-sectors:DHS-critical-sectors="government-facilities"] Outgoing HTTP Hostname tech.songuulcomiss.com"; flow:to_server,established; http.header; content: "Host|3a| tech.songuulcomiss.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])tech\.songuulcomiss\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4154272; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/288;) alert dns any any -> any any (msg: "MISP e288 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:threat-actor="TA428",misp-galaxy:malpedia="nccTrojan",misp-galaxy:malpedia="Cotx RAT",misp-galaxy:mitre-tool="NBTscan - S0590",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:sector="Defense",misp-galaxy:sector="Government, Administration",tlp:white,dhs-ciip-sectors:DHS-critical-sectors="government-facilities"] Hostname video.nicblainfo.net"; dns.query; content:"video.nicblainfo.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])video\.nicblainfo\.net$/i"; classtype:trojan-activity; sid:4154281; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/288;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e288 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:threat-actor="TA428",misp-galaxy:malpedia="nccTrojan",misp-galaxy:malpedia="Cotx RAT",misp-galaxy:mitre-tool="NBTscan - S0590",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:sector="Defense",misp-galaxy:sector="Government, Administration",tlp:white,dhs-ciip-sectors:DHS-critical-sectors="government-facilities"] Outgoing HTTP Hostname video.nicblainfo.net"; flow:to_server,established; http.header; content: "Host|3a| video.nicblainfo.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])video\.nicblainfo\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4154282; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/288;) alert ip $HOME_NET any -> 160.202.162.122 any (msg: "MISP e288 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:threat-actor="TA428",misp-galaxy:malpedia="nccTrojan",misp-galaxy:malpedia="Cotx RAT",misp-galaxy:mitre-tool="NBTscan - S0590",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:sector="Defense",misp-galaxy:sector="Government, Administration",tlp:white,dhs-ciip-sectors:DHS-critical-sectors="government-facilities"] Outgoing To IP: 160.202.162.122"; classtype:trojan-activity; sid:4154291; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/288;) alert dns any any -> any any (msg: "MISP e288 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:threat-actor="TA428",misp-galaxy:malpedia="nccTrojan",misp-galaxy:malpedia="Cotx RAT",misp-galaxy:mitre-tool="NBTscan - S0590",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:sector="Defense",misp-galaxy:sector="Government, Administration",tlp:white,dhs-ciip-sectors:DHS-critical-sectors="government-facilities"] Hostname doc.redstrpela.net"; dns.query; content:"doc.redstrpela.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])doc\.redstrpela\.net$/i"; classtype:trojan-activity; sid:4154301; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/288;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e288 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:threat-actor="TA428",misp-galaxy:malpedia="nccTrojan",misp-galaxy:malpedia="Cotx RAT",misp-galaxy:mitre-tool="NBTscan - S0590",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:sector="Defense",misp-galaxy:sector="Government, Administration",tlp:white,dhs-ciip-sectors:DHS-critical-sectors="government-facilities"] Outgoing HTTP Hostname doc.redstrpela.net"; flow:to_server,established; http.header; content: "Host|3a| doc.redstrpela.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])doc\.redstrpela\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4154302; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/288;) alert dns any any -> any any (msg: "MISP e288 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:threat-actor="TA428",misp-galaxy:malpedia="nccTrojan",misp-galaxy:malpedia="Cotx RAT",misp-galaxy:mitre-tool="NBTscan - S0590",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:sector="Defense",misp-galaxy:sector="Government, Administration",tlp:white,dhs-ciip-sectors:DHS-critical-sectors="government-facilities"] Hostname fax.internnetionfax.com"; dns.query; content:"fax.internnetionfax.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])fax\.internnetionfax\.com$/i"; classtype:trojan-activity; sid:4154311; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/288;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e288 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:threat-actor="TA428",misp-galaxy:malpedia="nccTrojan",misp-galaxy:malpedia="Cotx RAT",misp-galaxy:mitre-tool="NBTscan - S0590",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:sector="Defense",misp-galaxy:sector="Government, Administration",tlp:white,dhs-ciip-sectors:DHS-critical-sectors="government-facilities"] Outgoing HTTP Hostname fax.internnetionfax.com"; flow:to_server,established; http.header; content: "Host|3a| fax.internnetionfax.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])fax\.internnetionfax\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4154312; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/288;) alert dns any any -> any any (msg: "MISP e288 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:threat-actor="TA428",misp-galaxy:malpedia="nccTrojan",misp-galaxy:malpedia="Cotx RAT",misp-galaxy:mitre-tool="NBTscan - S0590",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:sector="Defense",misp-galaxy:sector="Government, Administration",tlp:white,dhs-ciip-sectors:DHS-critical-sectors="government-facilities"] Hostname www2.defensysminck.net"; dns.query; content:"www2.defensysminck.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www2\.defensysminck\.net$/i"; classtype:trojan-activity; sid:4154321; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/288;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e288 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:threat-actor="TA428",misp-galaxy:malpedia="nccTrojan",misp-galaxy:malpedia="Cotx RAT",misp-galaxy:mitre-tool="NBTscan - S0590",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:sector="Defense",misp-galaxy:sector="Government, Administration",tlp:white,dhs-ciip-sectors:DHS-critical-sectors="government-facilities"] Outgoing HTTP Hostname www2.defensysminck.net"; flow:to_server,established; http.header; content: "Host|3a| www2.defensysminck.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www2\.defensysminck\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4154322; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/288;) alert dns any any -> any any (msg: "MISP e288 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:threat-actor="TA428",misp-galaxy:malpedia="nccTrojan",misp-galaxy:malpedia="Cotx RAT",misp-galaxy:mitre-tool="NBTscan - S0590",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:sector="Defense",misp-galaxy:sector="Government, Administration",tlp:white,dhs-ciip-sectors:DHS-critical-sectors="government-facilities"] Hostname info.ntcprotek.com"; dns.query; content:"info.ntcprotek.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])info\.ntcprotek\.com$/i"; classtype:trojan-activity; sid:4154331; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/288;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e288 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:threat-actor="TA428",misp-galaxy:malpedia="nccTrojan",misp-galaxy:malpedia="Cotx RAT",misp-galaxy:mitre-tool="NBTscan - S0590",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:sector="Defense",misp-galaxy:sector="Government, Administration",tlp:white,dhs-ciip-sectors:DHS-critical-sectors="government-facilities"] Outgoing HTTP Hostname info.ntcprotek.com"; flow:to_server,established; http.header; content: "Host|3a| info.ntcprotek.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])info\.ntcprotek\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4154332; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/288;) alert dns any any -> any any (msg: "MISP e288 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:threat-actor="TA428",misp-galaxy:malpedia="nccTrojan",misp-galaxy:malpedia="Cotx RAT",misp-galaxy:mitre-tool="NBTscan - S0590",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:sector="Defense",misp-galaxy:sector="Government, Administration",tlp:white,dhs-ciip-sectors:DHS-critical-sectors="government-facilities"] Hostname www1.dotomater.club"; dns.query; content:"www1.dotomater.club"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www1\.dotomater\.club$/i"; classtype:trojan-activity; sid:4154341; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/288;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e288 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:threat-actor="TA428",misp-galaxy:malpedia="nccTrojan",misp-galaxy:malpedia="Cotx RAT",misp-galaxy:mitre-tool="NBTscan - S0590",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:sector="Defense",misp-galaxy:sector="Government, Administration",tlp:white,dhs-ciip-sectors:DHS-critical-sectors="government-facilities"] Outgoing HTTP Hostname www1.dotomater.club"; flow:to_server,established; http.header; content: "Host|3a| www1.dotomater.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www1\.dotomater\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4154342; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/288;) alert ip $HOME_NET any -> 192.248.182.121 any (msg: "MISP e288 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:threat-actor="TA428",misp-galaxy:malpedia="nccTrojan",misp-galaxy:malpedia="Cotx RAT",misp-galaxy:mitre-tool="NBTscan - S0590",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:sector="Defense",misp-galaxy:sector="Government, Administration",tlp:white,dhs-ciip-sectors:DHS-critical-sectors="government-facilities"] Outgoing To IP: 192.248.182.121"; classtype:trojan-activity; sid:4154351; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/288;) alert dns any any -> any any (msg: "MISP e288 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:threat-actor="TA428",misp-galaxy:malpedia="nccTrojan",misp-galaxy:malpedia="Cotx RAT",misp-galaxy:mitre-tool="NBTscan - S0590",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:sector="Defense",misp-galaxy:sector="Government, Administration",tlp:white,dhs-ciip-sectors:DHS-critical-sectors="government-facilities"] Hostname www2.sdelanasnou.com"; dns.query; content:"www2.sdelanasnou.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www2\.sdelanasnou\.com$/i"; classtype:trojan-activity; sid:4154361; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/288;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e288 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:threat-actor="TA428",misp-galaxy:malpedia="nccTrojan",misp-galaxy:malpedia="Cotx RAT",misp-galaxy:mitre-tool="NBTscan - S0590",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:sector="Defense",misp-galaxy:sector="Government, Administration",tlp:white,dhs-ciip-sectors:DHS-critical-sectors="government-facilities"] Outgoing HTTP Hostname www2.sdelanasnou.com"; flow:to_server,established; http.header; content: "Host|3a| www2.sdelanasnou.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www2\.sdelanasnou\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4154362; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/288;) alert ip $HOME_NET any -> 54.36.189.105 any (msg: "MISP e288 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:threat-actor="TA428",misp-galaxy:malpedia="nccTrojan",misp-galaxy:malpedia="Cotx RAT",misp-galaxy:mitre-tool="NBTscan - S0590",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:sector="Defense",misp-galaxy:sector="Government, Administration",tlp:white,dhs-ciip-sectors:DHS-critical-sectors="government-facilities"] Outgoing To IP: 54.36.189.105"; classtype:trojan-activity; sid:4154371; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/288;) alert ip $HOME_NET any -> 5.180.174.10 any (msg: "MISP e288 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:threat-actor="TA428",misp-galaxy:malpedia="nccTrojan",misp-galaxy:malpedia="Cotx RAT",misp-galaxy:mitre-tool="NBTscan - S0590",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:sector="Defense",misp-galaxy:sector="Government, Administration",tlp:white,dhs-ciip-sectors:DHS-critical-sectors="government-facilities"] Outgoing To IP: 5.180.174.10"; classtype:trojan-activity; sid:4154381; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/288;) alert ip $HOME_NET any -> 45.63.27.162 any (msg: "MISP e288 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:threat-actor="TA428",misp-galaxy:malpedia="nccTrojan",misp-galaxy:malpedia="Cotx RAT",misp-galaxy:mitre-tool="NBTscan - S0590",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:sector="Defense",misp-galaxy:sector="Government, Administration",tlp:white,dhs-ciip-sectors:DHS-critical-sectors="government-facilities"] Outgoing To IP: 45.63.27.162"; classtype:trojan-activity; sid:4154391; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/288;) alert dns any any -> any any (msg: "MISP e288 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:threat-actor="TA428",misp-galaxy:malpedia="nccTrojan",misp-galaxy:malpedia="Cotx RAT",misp-galaxy:mitre-tool="NBTscan - S0590",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:sector="Defense",misp-galaxy:sector="Government, Administration",tlp:white,dhs-ciip-sectors:DHS-critical-sectors="government-facilities"] Hostname server.dotomater.club"; dns.query; content:"server.dotomater.club"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])server\.dotomater\.club$/i"; classtype:trojan-activity; sid:4154401; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/288;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e288 [misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:threat-actor="TA428",misp-galaxy:malpedia="nccTrojan",misp-galaxy:malpedia="Cotx RAT",misp-galaxy:mitre-tool="NBTscan - S0590",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:sector="Defense",misp-galaxy:sector="Government, Administration",tlp:white,dhs-ciip-sectors:DHS-critical-sectors="government-facilities"] Outgoing HTTP Hostname server.dotomater.club"; flow:to_server,established; http.header; content: "Host|3a| server.dotomater.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])server\.dotomater\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4154402; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/288;) alert ip $HOME_NET any -> 111.90.139.122 any (msg: "MISP e289 [misp-galaxy:country="ukraine",tlp:white] Outgoing To IP: 111.90.139.122"; classtype:trojan-activity; sid:4154511; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/289;) alert dns any any -> any any (msg: "MISP e291 [misp-galaxy:ransomware="LockBit",misp-galaxy:mitre-tool="BloodHound - S0521",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189",misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002",tlp:white] Domain orangebronze.com"; dns.query; content:"orangebronze.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])orangebronze\.com$/i"; classtype:trojan-activity; sid:4155121; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/291;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e291 [misp-galaxy:ransomware="LockBit",misp-galaxy:mitre-tool="BloodHound - S0521",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189",misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002",tlp:white] Outgoing HTTP Domain orangebronze.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"orangebronze.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])orangebronze\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4155122; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/291;) alert ip $HOME_NET any -> 194.26.29.13 any (msg: "MISP e291 [misp-galaxy:ransomware="LockBit",misp-galaxy:mitre-tool="BloodHound - S0521",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189",misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002",tlp:white] Outgoing To IP: 194.26.29.13"; classtype:trojan-activity; sid:4155131; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/291;) alert dns any any -> any any (msg: "MISP e293 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",workflow:state="complete",tlp:white] Domain dropmefiles.com.ua"; dns.query; content:"dropmefiles.com.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])dropmefiles\.com\.ua$/i"; classtype:trojan-activity; sid:4155851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/293;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e293 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",workflow:state="complete",tlp:white] Outgoing HTTP Domain dropmefiles.com.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dropmefiles.com.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dropmefiles\.com\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4155852; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/293;) alert http $HOME_NET any -> 146.70.79.52 $HTTP_PORTS (msg: "MISP e294 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",misp-galaxy:mitre-malware="Conti - S0575",misp-galaxy:mitre-tool="AdFind - S0552",misp-galaxy:botnet="Qbot",misp-galaxy:malpedia="Black Basta",workflow:state="complete",tlp:white] Outgoing URL http|3a|//146.70.79.52/"; flow:to_server,established; http.header; content:"146.70.79.52"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/294;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e294 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:mitre-enterprise-attack-tool="Cobalt Strike - S0154",misp-galaxy:mitre-malware="Conti - S0575",misp-galaxy:mitre-tool="AdFind - S0552",misp-galaxy:botnet="Qbot",misp-galaxy:malpedia="Black Basta",workflow:state="complete",tlp:white] Outgoing URL https|3a|//aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/"; tls.sni; content:"aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion"; tag:session,600,seconds; classtype:trojan-activity; sid:4156101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/294;) alert ip $HOME_NET any -> 84.38.133.145 any (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing To IP: 84.38.133.145"; classtype:trojan-activity; sid:4156181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert ip $HOME_NET any -> 104.155.149.103 any (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing To IP: 104.155.149.103"; classtype:trojan-activity; sid:4156421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert ip $HOME_NET any -> 40.121.90.194 any (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing To IP: 40.121.90.194"; classtype:trojan-activity; sid:4156431; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert ip $HOME_NET any -> 185.29.8.162 any (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing To IP: 185.29.8.162"; classtype:trojan-activity; sid:4156441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert ip $HOME_NET any -> 146.4.21.94 any (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing To IP: 146.4.21.94"; classtype:trojan-activity; sid:4156451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert ip $HOME_NET any -> 46.183.221.109 any (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing To IP: 46.183.221.109"; classtype:trojan-activity; sid:4156461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert ip $HOME_NET any -> 109.248.150.13 any (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing To IP: 109.248.150.13"; classtype:trojan-activity; sid:4156471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert ip $HOME_NET any -> 155.94.210.11 any (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing To IP: 155.94.210.11"; classtype:trojan-activity; sid:4156481; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert ip $HOME_NET any -> 192.186.183.133 any (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing To IP: 192.186.183.133"; classtype:trojan-activity; sid:4156491; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert ip $HOME_NET any -> 54.68.42.4 any (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing To IP: 54.68.42.4"; classtype:trojan-activity; sid:4156501; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert ip $HOME_NET any -> 213.180.180.154 any (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing To IP: 213.180.180.154"; classtype:trojan-activity; sid:4156511; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> 104.155.149.103 $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//104.155.149.103/2-443.ps1"; flow:to_server,established; http.header; content:"104.155.149.103"; fast_pattern; nocase; http.uri; content:"/2-443.ps1"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156521; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> 104.155.149.103 $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//104.155.149.103/8080.ps1"; flow:to_server,established; http.header; content:"104.155.149.103"; fast_pattern; nocase; http.uri; content:"/8080.ps1"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156531; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> 104.155.149.103 $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//104.155.149.103/mi64.tmp"; flow:to_server,established; http.header; content:"104.155.149.103"; fast_pattern; nocase; http.uri; content:"/mi64.tmp"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156541; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> 104.155.149.103 $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//104.155.149.103/mi.tmp"; flow:to_server,established; http.header; content:"104.155.149.103"; fast_pattern; nocase; http.uri; content:"/mi.tmp"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156551; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> 104.155.149.103 $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//104.155.149.103/mm.rar"; flow:to_server,established; http.header; content:"104.155.149.103"; fast_pattern; nocase; http.uri; content:"/mm.rar"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156561; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> 104.155.149.103 $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//104.155.149.103/pd64.tmp"; flow:to_server,established; http.header; content:"104.155.149.103"; fast_pattern; nocase; http.uri; content:"/pd64.tmp"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156571; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> 104.155.149.103 $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//104.155.149.103/rar.tmp"; flow:to_server,established; http.header; content:"104.155.149.103"; fast_pattern; nocase; http.uri; content:"/rar.tmp"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156581; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> 104.155.149.103 $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//104.155.149.103/spr.tmp"; flow:to_server,established; http.header; content:"104.155.149.103"; fast_pattern; nocase; http.uri; content:"/spr.tmp"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156591; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> 104.155.149.103 $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//104.155.149.103/t.tmp"; flow:to_server,established; http.header; content:"104.155.149.103"; fast_pattern; nocase; http.uri; content:"/t.tmp"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156601; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> 104.155.149.103 $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//104.155.149.103/update.tmp"; flow:to_server,established; http.header; content:"104.155.149.103"; fast_pattern; nocase; http.uri; content:"/update.tmp"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156611; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> 109.248.150.13 8080 (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//109.248.150.13|3a|8080/1"; flow:to_server,established; http.header; content:"109.248.150.13"; fast_pattern; nocase; http.uri; content:"/1"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156621; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> 146.4.21.94 $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//146.4.21.94/tmp/data_preview/virtual.php"; flow:to_server,established; http.header; content:"146.4.21.94"; fast_pattern; nocase; http.uri; content:"/tmp/data_preview/virtual.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> 185.29.8.162 443 (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//185.29.8.162|3a|443/1.tmp"; flow:to_server,established; http.header; content:"185.29.8.162"; fast_pattern; nocase; http.uri; content:"/1.tmp"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> 40.121.90.194 $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//40.121.90.194/11.jpg"; flow:to_server,established; http.header; content:"40.121.90.194"; fast_pattern; nocase; http.uri; content:"/11.jpg"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156651; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> 40.121.90.194 $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//40.121.90.194/300dr.cert"; flow:to_server,established; http.header; content:"40.121.90.194"; fast_pattern; nocase; http.uri; content:"/300dr.cert"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156661; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> 40.121.90.194 $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//40.121.90.194/b.cert"; flow:to_server,established; http.header; content:"40.121.90.194"; fast_pattern; nocase; http.uri; content:"/b.cert"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> 40.121.90.194 $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//40.121.90.194/qq.cert"; flow:to_server,established; http.header; content:"40.121.90.194"; fast_pattern; nocase; http.uri; content:"/qq.cert"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> 40.121.90.194 $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//40.121.90.194/ra.cert"; flow:to_server,established; http.header; content:"40.121.90.194"; fast_pattern; nocase; http.uri; content:"/ra.cert"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> 40.121.90.194 $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//40.121.90.194/Rar.jpg"; flow:to_server,established; http.header; content:"40.121.90.194"; fast_pattern; nocase; http.uri; content:"/Rar.jpg"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> 40.121.90.194 $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//40.121.90.194/tt.rar"; flow:to_server,established; http.header; content:"40.121.90.194"; fast_pattern; nocase; http.uri; content:"/tt.rar"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> 46.183.221.109 $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//46.183.221.109//dfdfdfdfdfdfdfdfdfaflakjdfljaldjfladfljaldkfjlajdsflajdskf/huntertroy.exe"; flow:to_server,established; http.header; content:"46.183.221.109"; fast_pattern; nocase; http.uri; content:"//dfdfdfdfdfdfdfdfdfaflakjdfljaldjfladfljaldkfjlajdsflajdskf/huntertroy.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> 46.183.221.109 $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//46.183.221.109//dfdfdfdfdfdfdfdfdfaflakjdfljaldjfladfljaldkfjlajdsflajdskf/svhostw.exe"; flow:to_server,established; http.header; content:"46.183.221.109"; fast_pattern; nocase; http.uri; content:"//dfdfdfdfdfdfdfdfdfaflakjdfljaldjfladfljaldkfjlajdsflajdskf/svhostw.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> 84.38.133.145 $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//84.38.133.145/board.html"; flow:to_server,established; http.header; content:"84.38.133.145"; fast_pattern; nocase; http.uri; content:"/board.html"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> 84.38.133.145 $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//84.38.133.145/header.xml"; flow:to_server,established; http.header; content:"84.38.133.145"; fast_pattern; nocase; http.uri; content:"/header.xml"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//www.ajoa.org/home/manager/template/calendar.php"; flow:to_server,established; http.header; content:"www.ajoa.org"; fast_pattern; nocase; http.uri; content:"/home/manager/template/calendar.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//www.ajoa.org/home/rar.tmp"; flow:to_server,established; http.header; content:"www.ajoa.org"; fast_pattern; nocase; http.uri; content:"/home/rar.tmp"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//www.ajoa.org/home/tmp.ps1"; flow:to_server,established; http.header; content:"www.ajoa.org"; fast_pattern; nocase; http.uri; content:"/home/tmp.ps1"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//www.ajoa.org/home/ztt.tmp"; flow:to_server,established; http.header; content:"www.ajoa.org"; fast_pattern; nocase; http.uri; content:"/home/ztt.tmp"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//www.orvi00.com/ez/admin/shop/powerline.tmp"; flow:to_server,established; http.header; content:"www.orvi00.com"; fast_pattern; nocase; http.uri; content:"/ez/admin/shop/powerline.tmp"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//tecnojournals.com/review"; flow:to_server,established; http.header; content:"tecnojournals.com"; fast_pattern; nocase; http.uri; content:"/review"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//semiconductboard.com/xml"; flow:to_server,established; http.header; content:"semiconductboard.com"; fast_pattern; nocase; http.uri; content:"/xml"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//cyancow.com/find"; flow:to_server,established; http.header; content:"cyancow.com"; fast_pattern; nocase; http.uri; content:"/find"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> 155.94.210.11 $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//155.94.210.11/news/page.php"; flow:to_server,established; http.header; content:"155.94.210.11"; fast_pattern; nocase; http.uri; content:"/news/page.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> 192.186.183.133 $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//192.186.183.133/bbs/board.php"; flow:to_server,established; http.header; content:"192.186.183.133"; fast_pattern; nocase; http.uri; content:"/bbs/board.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> 213.32.46.0 $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//213.32.46.0/board.php"; flow:to_server,established; http.header; content:"213.32.46.0"; fast_pattern; nocase; http.uri; content:"/board.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156861; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> 54.68.42.4 $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//54.68.42.4/mainboard.php"; flow:to_server,established; http.header; content:"54.68.42.4"; fast_pattern; nocase; http.uri; content:"/mainboard.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> 84.38.133.145 $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//84.38.133.145/apollom/jeus.php"; flow:to_server,established; http.header; content:"84.38.133.145"; fast_pattern; nocase; http.uri; content:"/apollom/jeus.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//mudeungsan.or.kr/gbbs/bbs/template/g_botton.php"; flow:to_server,established; http.header; content:"mudeungsan.or.kr"; fast_pattern; nocase; http.uri; content:"/gbbs/bbs/template/g_botton.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//www.easyview.kr/board/Kheader.php"; flow:to_server,established; http.header; content:"www.easyview.kr"; fast_pattern; nocase; http.uri; content:"/board/Kheader.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//www.easyview.kr/board/mb_admin.php"; flow:to_server,established; http.header; content:"www.easyview.kr"; fast_pattern; nocase; http.uri; content:"/board/mb_admin.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert http $HOME_NET any -> 213.180.180.154 $HTTP_PORTS (msg: "MISP e295 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="canada",misp-galaxy:country="japan",misp-galaxy:country="united states",misp-galaxy:sector="Energy",misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562",misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608",misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005",misp-galaxy:mitre-attack-pattern="Create Account - T1136",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",workflow:state="complete",tlp:white] Outgoing URL http|3a|//213.180.180.154/editor/session/aaa000/support.php"; flow:to_server,established; http.header; content:"213.180.180.154"; fast_pattern; nocase; http.uri; content:"/editor/session/aaa000/support.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4156921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/295;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain aasfhhvyyayssa.xyz"; dns.query; content:"aasfhhvyyayssa.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])aasfhhvyyayssa\.xyz$/i"; classtype:trojan-activity; sid:4156951; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain aasfhhvyyayssa.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aasfhhvyyayssa.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aasfhhvyyayssa\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4156952; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain aasouv636d.cn"; dns.query; content:"aasouv636d.cn"; nocase; pcre: "/(^|[^A-Za-z0-9-])aasouv636d\.cn$/i"; classtype:trojan-activity; sid:4156961; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain aasouv636d.cn"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aasouv636d.cn"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aasouv636d\.cn[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4156962; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain afggaiir3a.xyz"; dns.query; content:"afggaiir3a.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])afggaiir3a\.xyz$/i"; classtype:trojan-activity; sid:4156971; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain afggaiir3a.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"afggaiir3a.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])afggaiir3a\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4156972; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain aisiciciaisxuusuxic.xyz"; dns.query; content:"aisiciciaisxuusuxic.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])aisiciciaisxuusuxic\.xyz$/i"; classtype:trojan-activity; sid:4156981; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain aisiciciaisxuusuxic.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aisiciciaisxuusuxic.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aisiciciaisxuusuxic\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4156982; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain aonvjvisi3949vnao30cv.xyz"; dns.query; content:"aonvjvisi3949vnao30cv.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])aonvjvisi3949vnao30cv\.xyz$/i"; classtype:trojan-activity; sid:4156991; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain aonvjvisi3949vnao30cv.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aonvjvisi3949vnao30cv.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aonvjvisi3949vnao30cv\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4156992; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain aosdnvnauurt.xyz"; dns.query; content:"aosdnvnauurt.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])aosdnvnauurt\.xyz$/i"; classtype:trojan-activity; sid:4157001; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain aosdnvnauurt.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aosdnvnauurt.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aosdnvnauurt\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4157002; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain asdijoisad87ay3.cn"; dns.query; content:"asdijoisad87ay3.cn"; nocase; pcre: "/(^|[^A-Za-z0-9-])asdijoisad87ay3\.cn$/i"; classtype:trojan-activity; sid:4157011; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain asdijoisad87ay3.cn"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"asdijoisad87ay3.cn"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])asdijoisad87ay3\.cn[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4157012; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain asdyyauscuauusc.xyz"; dns.query; content:"asdyyauscuauusc.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])asdyyauscuauusc\.xyz$/i"; classtype:trojan-activity; sid:4157021; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain asdyyauscuauusc.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"asdyyauscuauusc.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])asdyyauscuauusc\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4157022; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain asfggagsa3.xyz"; dns.query; content:"asfggagsa3.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])asfggagsa3\.xyz$/i"; classtype:trojan-activity; sid:4157031; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain asfggagsa3.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"asfggagsa3.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])asfggagsa3\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4157032; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain asfjjasguasus.xyz"; dns.query; content:"asfjjasguasus.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])asfjjasguasus\.xyz$/i"; classtype:trojan-activity; sid:4157041; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain asfjjasguasus.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"asfjjasguasus.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])asfjjasguasus\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4157042; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain asfjjsdvv33gqrr2fv.cn"; dns.query; content:"asfjjsdvv33gqrr2fv.cn"; nocase; pcre: "/(^|[^A-Za-z0-9-])asfjjsdvv33gqrr2fv\.cn$/i"; classtype:trojan-activity; sid:4157051; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain asfjjsdvv33gqrr2fv.cn"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"asfjjsdvv33gqrr2fv.cn"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])asfjjsdvv33gqrr2fv\.cn[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4157052; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain asfpihbhbyd.xyz"; dns.query; content:"asfpihbhbyd.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])asfpihbhbyd\.xyz$/i"; classtype:trojan-activity; sid:4157061; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain asfpihbhbyd.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"asfpihbhbyd.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])asfpihbhbyd\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4157062; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain asfuuvhv3083f.xyz"; dns.query; content:"asfuuvhv3083f.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])asfuuvhv3083f\.xyz$/i"; classtype:trojan-activity; sid:4157071; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain asfuuvhv3083f.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"asfuuvhv3083f.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])asfuuvhv3083f\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4157072; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain asgyyya6ychcha.xyz"; dns.query; content:"asgyyya6ychcha.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])asgyyya6ychcha\.xyz$/i"; classtype:trojan-activity; sid:4157081; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain asgyyya6ychcha.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"asgyyya6ychcha.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])asgyyya6ychcha\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4157082; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain asudjasdusad.xyz"; dns.query; content:"asudjasdusad.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])asudjasdusad\.xyz$/i"; classtype:trojan-activity; sid:4157091; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain asudjasdusad.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"asudjasdusad.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])asudjasdusad\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4157092; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain dfsrakizimoy34ggf.xyz"; dns.query; content:"dfsrakizimoy34ggf.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])dfsrakizimoy34ggf\.xyz$/i"; classtype:trojan-activity; sid:4157101; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain dfsrakizimoy34ggf.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dfsrakizimoy34ggf.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dfsrakizimoy34ggf\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4157102; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain dkaknvizisic.xyz"; dns.query; content:"dkaknvizisic.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])dkaknvizisic\.xyz$/i"; classtype:trojan-activity; sid:4157111; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain dkaknvizisic.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dkaknvizisic.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dkaknvizisic\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4157112; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain hitnaiguat.xyz"; dns.query; content:"hitnaiguat.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])hitnaiguat\.xyz$/i"; classtype:trojan-activity; sid:4157121; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain hitnaiguat.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hitnaiguat.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hitnaiguat\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4157122; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain listjhueaa.cn"; dns.query; content:"listjhueaa.cn"; nocase; pcre: "/(^|[^A-Za-z0-9-])listjhueaa\.cn$/i"; classtype:trojan-activity; sid:4157131; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain listjhueaa.cn"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"listjhueaa.cn"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])listjhueaa\.cn[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4157132; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain neboley.cn"; dns.query; content:"neboley.cn"; nocase; pcre: "/(^|[^A-Za-z0-9-])neboley\.cn$/i"; classtype:trojan-activity; sid:4157141; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain neboley.cn"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"neboley.cn"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])neboley\.cn[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4157142; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain novacation.cn"; dns.query; content:"novacation.cn"; nocase; pcre: "/(^|[^A-Za-z0-9-])novacation\.cn$/i"; classtype:trojan-activity; sid:4157151; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain novacation.cn"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"novacation.cn"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])novacation\.cn[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4157152; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain pgf5ga4g4b.cn"; dns.query; content:"pgf5ga4g4b.cn"; nocase; pcre: "/(^|[^A-Za-z0-9-])pgf5ga4g4b\.cn$/i"; classtype:trojan-activity; sid:4157161; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain pgf5ga4g4b.cn"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pgf5ga4g4b.cn"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pgf5ga4g4b\.cn[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4157162; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain pssoduvnzud.xyz"; dns.query; content:"pssoduvnzud.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])pssoduvnzud\.xyz$/i"; classtype:trojan-activity; sid:4157171; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain pssoduvnzud.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pssoduvnzud.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pssoduvnzud\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4157172; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain sacmmvivuasd.xyz"; dns.query; content:"sacmmvivuasd.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])sacmmvivuasd\.xyz$/i"; classtype:trojan-activity; sid:4157181; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain sacmmvivuasd.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sacmmvivuasd.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sacmmvivuasd\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4157182; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain sadiviai9d9asd.xyz"; dns.query; content:"sadiviai9d9asd.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])sadiviai9d9asd\.xyz$/i"; classtype:trojan-activity; sid:4157191; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain sadiviai9d9asd.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sadiviai9d9asd.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sadiviai9d9asd\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4157192; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain sagbbrrww2.cn"; dns.query; content:"sagbbrrww2.cn"; nocase; pcre: "/(^|[^A-Za-z0-9-])sagbbrrww2\.cn$/i"; classtype:trojan-activity; sid:4157201; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain sagbbrrww2.cn"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sagbbrrww2.cn"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sagbbrrww2\.cn[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4157202; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain sagiai3agar.cn"; dns.query; content:"sagiai3agar.cn"; nocase; pcre: "/(^|[^A-Za-z0-9-])sagiai3agar\.cn$/i"; classtype:trojan-activity; sid:4157211; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain sagiai3agar.cn"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sagiai3agar.cn"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sagiai3agar\.cn[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4157212; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain saidifufaysydas.cn"; dns.query; content:"saidifufaysydas.cn"; nocase; pcre: "/(^|[^A-Za-z0-9-])saidifufaysydas\.cn$/i"; classtype:trojan-activity; sid:4157221; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain saidifufaysydas.cn"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"saidifufaysydas.cn"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])saidifufaysydas\.cn[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4157222; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain saidijfjv9as.xyz"; dns.query; content:"saidijfjv9as.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])saidijfjv9as\.xyz$/i"; classtype:trojan-activity; sid:4157231; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain saidijfjv9as.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"saidijfjv9as.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])saidijfjv9as\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4157232; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain saidiviaiisj3.xyz"; dns.query; content:"saidiviaiisj3.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])saidiviaiisj3\.xyz$/i"; classtype:trojan-activity; sid:4157241; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain saidiviaiisj3.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"saidiviaiisj3.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])saidiviaiisj3\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4157242; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain sasdmvica883fen.xyz"; dns.query; content:"sasdmvica883fen.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])sasdmvica883fen\.xyz$/i"; classtype:trojan-activity; sid:4157251; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain sasdmvica883fen.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sasdmvica883fen.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sasdmvica883fen\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4157252; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain sasf6asf683jfsd.xyz"; dns.query; content:"sasf6asf683jfsd.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])sasf6asf683jfsd\.xyz$/i"; classtype:trojan-activity; sid:4157261; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain sasf6asf683jfsd.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sasf6asf683jfsd.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sasf6asf683jfsd\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4157262; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain saudjyyvv663.xyz"; dns.query; content:"saudjyyvv663.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])saudjyyvv663\.xyz$/i"; classtype:trojan-activity; sid:4157271; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain saudjyyvv663.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"saudjyyvv663.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])saudjyyvv663\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4157272; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain sdgububue3.xyz"; dns.query; content:"sdgububue3.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])sdgububue3\.xyz$/i"; classtype:trojan-activity; sid:4157281; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain sdgububue3.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sdgububue3.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sdgububue3\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4157282; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain soajfvhv235ua.xyz"; dns.query; content:"soajfvhv235ua.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])soajfvhv235ua\.xyz$/i"; classtype:trojan-activity; sid:4157291; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain soajfvhv235ua.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"soajfvhv235ua.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])soajfvhv235ua\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4157292; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain whereihjeu3.xyz"; dns.query; content:"whereihjeu3.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])whereihjeu3\.xyz$/i"; classtype:trojan-activity; sid:4157301; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain whereihjeu3.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"whereihjeu3.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])whereihjeu3\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4157302; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain teahgiaj3ig.cn"; dns.query; content:"teahgiaj3ig.cn"; nocase; pcre: "/(^|[^A-Za-z0-9-])teahgiaj3ig\.cn$/i"; classtype:trojan-activity; sid:4157311; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain teahgiaj3ig.cn"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"teahgiaj3ig.cn"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])teahgiaj3ig\.cn[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4157312; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert dns any any -> any any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Domain bromide.xyz"; dns.query; content:"bromide.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])bromide\.xyz$/i"; classtype:trojan-activity; sid:4157331; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain bromide.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bromide.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bromide\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4157332; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert ip $HOME_NET any -> 37.1.201.136 any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing To IP: 37.1.201.136"; classtype:trojan-activity; sid:4158121; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert ip $HOME_NET any -> 5.61.60.54 any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing To IP: 5.61.60.54"; classtype:trojan-activity; sid:4158131; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert ip $HOME_NET any -> 185.163.45.186 any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing To IP: 185.163.45.186"; classtype:trojan-activity; sid:4158151; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert ip $HOME_NET any -> 185.163.45.240 any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing To IP: 185.163.45.240"; classtype:trojan-activity; sid:4158161; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert ip $HOME_NET any -> 185.163.45.248 any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing To IP: 185.163.45.248"; classtype:trojan-activity; sid:4158171; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert ip $HOME_NET any -> 185.163.45.56 any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing To IP: 185.163.45.56"; classtype:trojan-activity; sid:4158181; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert ip $HOME_NET any -> 185.163.47.171 any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing To IP: 185.163.47.171"; classtype:trojan-activity; sid:4158191; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert ip $HOME_NET any -> 185.163.47.210 any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing To IP: 185.163.47.210"; classtype:trojan-activity; sid:4158201; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert ip $HOME_NET any -> 194.180.174.20 any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing To IP: 194.180.174.20"; classtype:trojan-activity; sid:4158211; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert ip $HOME_NET any -> 194.180.174.56 any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing To IP: 194.180.174.56"; classtype:trojan-activity; sid:4158221; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert ip $HOME_NET any -> 206.188.197.203 any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing To IP: 206.188.197.203"; classtype:trojan-activity; sid:4158231; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert ip $HOME_NET any -> 206.188.197.221 any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing To IP: 206.188.197.221"; classtype:trojan-activity; sid:4158241; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert ip $HOME_NET any -> 5.181.156.142 any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing To IP: 5.181.156.142"; classtype:trojan-activity; sid:4158251; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert ip $HOME_NET any -> 5.181.156.15 any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing To IP: 5.181.156.15"; classtype:trojan-activity; sid:4158261; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert ip $HOME_NET any -> 5.181.156.4 any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing To IP: 5.181.156.4"; classtype:trojan-activity; sid:4158271; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert ip $HOME_NET any -> 5.181.156.64 any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing To IP: 5.181.156.64"; classtype:trojan-activity; sid:4158281; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert ip $HOME_NET any -> 94.158.245.113 any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing To IP: 94.158.245.113"; classtype:trojan-activity; sid:4158291; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert ip $HOME_NET any -> 94.158.245.172 any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing To IP: 94.158.245.172"; classtype:trojan-activity; sid:4158301; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert ip $HOME_NET any -> 94.158.245.180 any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing To IP: 94.158.245.180"; classtype:trojan-activity; sid:4158311; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert ip $HOME_NET any -> 94.158.245.73 any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing To IP: 94.158.245.73"; classtype:trojan-activity; sid:4158321; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert ip $HOME_NET any -> 94.158.245.77 any (msg: "MISP e296 [misp-galaxy:backdoor="ServHelper",misp-galaxy:malpedia="ServHelper",misp-galaxy:mitre-intrusion-set="TA505 - G0092",misp-galaxy:mitre-malware="ServHelper - S0382",misp-galaxy:threat-actor="TA505",misp-galaxy:sector="Finance",tlp:white] Outgoing To IP: 94.158.245.77"; classtype:trojan-activity; sid:4158331; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/296;) alert ip $HOME_NET any -> 136.243.108.14 any (msg: "MISP e297 [tlp:white] Outgoing To IP: 136.243.108.14"; classtype:trojan-activity; sid:4158361; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/297;) alert ip $HOME_NET any -> 173.209.51.54 any (msg: "MISP e297 [tlp:white] Outgoing To IP: 173.209.51.54"; classtype:trojan-activity; sid:4158371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/297;) alert dns any any -> any any (msg: "MISP e298 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:financial-fraud="Malware",misp-galaxy:mitre-enterprise-attack-malware="China Chopper - S0020",misp-galaxy:sector="Other",misp-galaxy:target-information="China",misp-galaxy:ransomware="Explorer",misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003",workflow:state="complete",tlp:white] Hostname www.maicaidao.com"; dns.query; content:"www.maicaidao.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.maicaidao\.com$/i"; classtype:trojan-activity; sid:4158541; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/298;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e298 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:financial-fraud="Malware",misp-galaxy:mitre-enterprise-attack-malware="China Chopper - S0020",misp-galaxy:sector="Other",misp-galaxy:target-information="China",misp-galaxy:ransomware="Explorer",misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003",workflow:state="complete",tlp:white] Outgoing HTTP Hostname www.maicaidao.com"; flow:to_server,established; http.header; content: "Host|3a| www.maicaidao.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.maicaidao\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4158542; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/298;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Outgoing URL http|3a|//asutralianmorningnews.com/?p=19-"; flow:to_server,established; http.header; content:"asutralianmorningnews.com"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4158921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Outgoing URL https|3a|//theaustralian.in/europa.eeas"; tls.sni; content:"theaustralian.in"; tag:session,600,seconds; classtype:trojan-activity; sid:4158931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Outgoing URL http|3a|//walmartsde.com/UpdateConfig"; flow:to_server,established; http.header; content:"walmartsde.com"; fast_pattern; nocase; http.uri; content:"/UpdateConfig"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4158951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Outgoing URL https|3a|//regionail.xyz/austrade.au"; tls.sni; content:"regionail.xyz"; tag:session,600,seconds; classtype:trojan-activity; sid:4158961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Source Email Address: entertainingemiliano20@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"entertainingemiliano20@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4158971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Outgoing URL https|3a|//theaustralian.in/office"; tls.sni; content:"theaustralian.in"; tag:session,600,seconds; classtype:trojan-activity; sid:4158981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Outgoing URL https|3a|//theaustralian.in/word"; tls.sni; content:"theaustralian.in"; tag:session,600,seconds; classtype:trojan-activity; sid:4159021; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Outgoing URL https|3a|//magloball.com/nDo3SB"; tls.sni; content:"magloball.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4159031; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Source Email Address: visitable.daishaju@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"visitable.daishaju@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4159041; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Source Email Address: goodlandteactuator@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"goodlandteactuator@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4159051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Source Email Address: walknermohammad26@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"walknermohammad26@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4159061; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Source Email Address: charmainejuxtzk@outlook.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"charmainejuxtzk@outlook.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4159071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Source Email Address: osinskigeovannyxw@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"osinskigeovannyxw@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4159081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Source Email Address: ascents.nestora2@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"ascents.nestora2@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4159091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Source Email Address: gradyt18iheme@outlook.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"gradyt18iheme@outlook.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4159101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Source Email Address: marikok2bedax@outlook.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"marikok2bedax@outlook.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4159111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Source Email Address: amianggitaphill@yahoo.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"amianggitaphill@yahoo.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4159121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert dns any any -> any any (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Domain australianmorningnews.com"; dns.query; content:"australianmorningnews.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])australianmorningnews\.com$/i"; classtype:trojan-activity; sid:4159131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Outgoing HTTP Domain australianmorningnews.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"australianmorningnews.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])australianmorningnews\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4159132; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Source Email Address: pearlykeap3l@outlook.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"pearlykeap3l@outlook.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4159141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Source Email Address: dagny382cber@outlook.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"dagny382cber@outlook.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4159151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Source Email Address: claire3bluntxq@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"claire3bluntxq@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4159161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Source Email Address: brittanisoq@outlook.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"brittanisoq@outlook.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4159171; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Source Email Address: mattbotossd@outlook.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"mattbotossd@outlook.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4159181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Source Email Address: suzannehhu316@outlook.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"suzannehhu316@outlook.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4159191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert http $HOME_NET any -> 172.105.114.27 $HTTP_PORTS (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Outgoing URL http|3a|//172.105.114.27/v"; flow:to_server,established; http.header; content:"172.105.114.27"; fast_pattern; nocase; http.uri; content:"/v"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4159201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Outgoing URL https|3a|//regionail.xyz/"; tls.sni; content:"regionail.xyz"; tag:session,600,seconds; classtype:trojan-activity; sid:4159211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Source Email Address: thuang6102@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"thuang6102@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4159221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Source Email Address: earlt1948@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"earlt1948@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4159231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert ip $HOME_NET any -> 139.59.60.116 443 (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Outgoing To IP: 139.59.60.116|443"; classtype:trojan-activity; sid:4159241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert ip $HOME_NET any -> 172.105.114.27 80 (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Outgoing To IP: 172.105.114.27|80"; classtype:trojan-activity; sid:4159251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Source Email Address: zoezlb@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"zoezlb@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4159261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert dns any any -> any any (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Domain theaustralian.in"; dns.query; content:"theaustralian.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])theaustralian\.in$/i"; classtype:trojan-activity; sid:4159271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Outgoing HTTP Domain theaustralian.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"theaustralian.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])theaustralian\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4159272; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert dns any any -> any any (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Domain mlcdailynews.com"; dns.query; content:"mlcdailynews.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mlcdailynews\.com$/i"; classtype:trojan-activity; sid:4159281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Outgoing HTTP Domain mlcdailynews.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mlcdailynews.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mlcdailynews\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4159282; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert ip $HOME_NET any -> 139.180.161.195 any (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Outgoing To IP: 139.180.161.195"; classtype:trojan-activity; sid:4159301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert ip $HOME_NET any -> 104.168.140.23 any (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Outgoing To IP: 104.168.140.23"; classtype:trojan-activity; sid:4159311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert dns any any -> any any (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Domain walmartsde.com"; dns.query; content:"walmartsde.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])walmartsde\.com$/i"; classtype:trojan-activity; sid:4159321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Outgoing HTTP Domain walmartsde.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"walmartsde.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])walmartsde\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4159322; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert dns any any -> any any (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Domain regionail.xyz"; dns.query; content:"regionail.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])regionail\.xyz$/i"; classtype:trojan-activity; sid:4159331; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Outgoing HTTP Domain regionail.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"regionail.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])regionail\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4159332; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert ip $HOME_NET any -> 198.13.45.227 any (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Outgoing To IP: 198.13.45.227"; classtype:trojan-activity; sid:4159341; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert ip $HOME_NET any -> 45.77.237.243 any (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Outgoing To IP: 45.77.237.243"; classtype:trojan-activity; sid:4159351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert dns any any -> any any (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Domain heraldsun.me"; dns.query; content:"heraldsun.me"; nocase; pcre: "/(^|[^A-Za-z0-9-])heraldsun\.me$/i"; classtype:trojan-activity; sid:4159361; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e299 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",misp-galaxy:country="australia",misp-galaxy:country="malaysia",misp-galaxy:malpedia="scanbox",misp-galaxy:mitre-attack-pattern="Template Injection - T1221",misp-galaxy:sector="Energy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Manufacturing",misp-galaxy:sector="News - Media",workflow:state="complete",tlp:white] Outgoing HTTP Domain heraldsun.me"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"heraldsun.me"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])heraldsun\.me[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4159362; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/299;) alert ip $HOME_NET any -> 137.184.181.252 any (msg: "MISP e300 [tlp:white] Outgoing To IP: 137.184.181.252"; classtype:trojan-activity; sid:4159681; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/300;) alert ip $HOME_NET any -> 138.197.218.11 any (msg: "MISP e300 [tlp:white] Outgoing To IP: 138.197.218.11"; classtype:trojan-activity; sid:4159691; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/300;) alert ip $HOME_NET any -> 138.68.19.94 any (msg: "MISP e300 [tlp:white] Outgoing To IP: 138.68.19.94"; classtype:trojan-activity; sid:4159701; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/300;) alert ip $HOME_NET any -> 138.68.59.16 any (msg: "MISP e300 [tlp:white] Outgoing To IP: 138.68.59.16"; classtype:trojan-activity; sid:4159711; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/300;) alert ip $HOME_NET any -> 159.65.248.159 any (msg: "MISP e300 [tlp:white] Outgoing To IP: 159.65.248.159"; classtype:trojan-activity; sid:4159721; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/300;) alert ip $HOME_NET any -> 206.188.197.125 any (msg: "MISP e300 [tlp:white] Outgoing To IP: 206.188.197.125"; classtype:trojan-activity; sid:4159731; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/300;) alert ip $HOME_NET any -> 64.190.113.100 any (msg: "MISP e300 [tlp:white] Outgoing To IP: 64.190.113.100"; classtype:trojan-activity; sid:4159741; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/300;) alert ip $HOME_NET any -> 186.90.144.235 2222 (msg: "MISP e301 [tlp:white] Outgoing To IP: 186.90.144.235|2222"; classtype:trojan-activity; sid:4159941; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/301;) alert ip $HOME_NET any -> 186.81.122.168 443 (msg: "MISP e301 [tlp:white] Outgoing To IP: 186.81.122.168|443"; classtype:trojan-activity; sid:4159951; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/301;) alert ip $HOME_NET any -> 85.86.242.245 443 (msg: "MISP e301 [tlp:white] Outgoing To IP: 85.86.242.245|443"; classtype:trojan-activity; sid:4159961; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/301;) alert ip $HOME_NET any -> 193.3.19.137 443 (msg: "MISP e301 [tlp:white] Outgoing To IP: 193.3.19.137|443"; classtype:trojan-activity; sid:4159971; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/301;) alert http $HOME_NET any -> 194.165.16.64 $HTTP_PORTS (msg: "MISP e301 [tlp:white] Outgoing URL http|3a|//194.165.16.64/prepare/add.mp4a"; flow:to_server,established; http.header; content:"194.165.16.64"; fast_pattern; nocase; http.uri; content:"/prepare/add.mp4a"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4159981; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/301;) alert http $HOME_NET any -> 194.165.16.64 $HTTP_PORTS (msg: "MISP e301 [tlp:white] Outgoing URL http|3a|//194.165.16.64/risk.ico"; flow:to_server,established; http.header; content:"194.165.16.64"; fast_pattern; nocase; http.uri; content:"/risk.ico"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4159991; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/301;) alert http $HOME_NET any -> 194.165.16.64 $HTTP_PORTS (msg: "MISP e301 [tlp:white] Outgoing URL http|3a|//194.165.16.64/target"; flow:to_server,established; http.header; content:"194.165.16.64"; fast_pattern; nocase; http.uri; content:"/target"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4160001; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/301;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e307 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:mitre-intrusion-set="Volatile Cedar - G0123",misp-galaxy:mitre-intrusion-set="Kimsuky - G0094",misp-galaxy:mitre-malware="Triada - S0424",misp-galaxy:amitt-misinformation-pattern="WhatsApp",workflow:state="complete"] Outgoing URL https|3a|//g1790.rt14v.com"; tls.sni; content:"g1790.rt14v.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4161371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/307;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e307 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:mitre-intrusion-set="Volatile Cedar - G0123",misp-galaxy:mitre-intrusion-set="Kimsuky - G0094",misp-galaxy:mitre-malware="Triada - S0424",misp-galaxy:amitt-misinformation-pattern="WhatsApp",workflow:state="complete"] Outgoing URL http|3a|//av2wg.rt14v.com"; flow:to_server,established; http.header; content:"av2wg.rt14v.com"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4161381; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/307;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e307 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:mitre-intrusion-set="Volatile Cedar - G0123",misp-galaxy:mitre-intrusion-set="Kimsuky - G0094",misp-galaxy:mitre-malware="Triada - S0424",misp-galaxy:amitt-misinformation-pattern="WhatsApp",workflow:state="complete"] Outgoing URL https|3a|//wa.zcnewy.com"; tls.sni; content:"wa.zcnewy.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4161391; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/307;) alert http $HOME_NET any -> 200.159.87.196 $HTTP_PORTS (msg: "MISP e306 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:mitre-enterprise-attack-malware="ASPXSpy - S0073",misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="ipconfig - S0100",misp-galaxy:mitre-enterprise-attack-tool="cmd - S0106",misp-galaxy:tool="Netcat",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Vulnerabilities - T1588.006",workflow:state="complete"] Outgoing URL http|3a|//200.159.87.196/1.msi"; flow:to_server,established; http.header; content:"200.159.87.196"; fast_pattern; nocase; http.uri; content:"/1.msi"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4161161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/306;) alert ip $HOME_NET any -> 200.159.87.196 any (msg: "MISP e306 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:mitre-enterprise-attack-malware="ASPXSpy - S0073",misp-galaxy:mitre-enterprise-attack-tool="Mimikatz - S0002",misp-galaxy:mitre-enterprise-attack-tool="ipconfig - S0100",misp-galaxy:mitre-enterprise-attack-tool="cmd - S0106",misp-galaxy:tool="Netcat",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Credentials - T1589.001",misp-galaxy:mitre-attack-pattern="Vulnerabilities - T1588.006",workflow:state="complete"] Outgoing To IP: 200.159.87.196"; classtype:trojan-activity; sid:4161191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/306;) alert ip $HOME_NET any -> 185.82.217.131 any (msg: "MISP e310 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,workflow:state="complete"] Outgoing To IP: 185.82.217.131"; classtype:trojan-activity; sid:4162361; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/310;) alert ip $HOME_NET any -> 138.199.47.184 any (msg: "MISP e310 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,workflow:state="complete"] Outgoing To IP: 138.199.47.184"; classtype:trojan-activity; sid:4162401; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/310;) alert ip $HOME_NET any -> 185.82.219.201 any (msg: "MISP e310 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,workflow:state="complete"] Outgoing To IP: 185.82.219.201"; classtype:trojan-activity; sid:4162411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/310;) alert ip $HOME_NET any -> 182.82.219.201 any (msg: "MISP e310 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,workflow:state="complete"] Outgoing To IP: 182.82.219.201"; classtype:trojan-activity; sid:4162421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/310;) alert tls $HOME_NET any -> $EXTERNAL_NET 8080 (msg: "MISP e309 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,workflow:state="complete"] Outgoing URL https|3a|//symantecuptimehost.com|3a|8080/admin.php?login="; tls.sni; content:"symantecuptimehost.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4161891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/309;) alert dns any any -> any any (msg: "MISP e309 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,workflow:state="complete"] Domain symantecuptimehost.com"; dns.query; content:"symantecuptimehost.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])symantecuptimehost\.com$/i"; classtype:trojan-activity; sid:4161981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/309;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e309 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,workflow:state="complete"] Outgoing HTTP Domain symantecuptimehost.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"symantecuptimehost.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])symantecuptimehost\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4161982; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/309;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e309 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,workflow:state="complete"] Outgoing URL https|3a|//fewifasoc.com"; tls.sni; content:"fewifasoc.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4162071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/309;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e309 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,workflow:state="complete"] Outgoing URL https|3a|//himiketiv.com"; tls.sni; content:"himiketiv.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4162081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/309;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e309 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,workflow:state="complete"] Outgoing URL https|3a|//hadujaza.com"; tls.sni; content:"hadujaza.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4162091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/309;) alert ip $HOME_NET any -> 45.153.242.251 any (msg: "MISP e309 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,workflow:state="complete"] Outgoing To IP: 45.153.242.251"; classtype:trojan-activity; sid:4162101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/309;) alert ip $HOME_NET any -> 45.153.241.64 any (msg: "MISP e309 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,workflow:state="complete"] Outgoing To IP: 45.153.241.64"; classtype:trojan-activity; sid:4162111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/309;) alert ip $HOME_NET any -> 45.153.241.88 any (msg: "MISP e309 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,workflow:state="complete"] Outgoing To IP: 45.153.241.88"; classtype:trojan-activity; sid:4162121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/309;) alert dns any any -> any any (msg: "MISP e311 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,workflow:state="complete",misp-galaxy:sector="Casino"] Hostname quic.flashesplayer.com"; dns.query; content:"quic.flashesplayer.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])quic\.flashesplayer\.com$/i"; classtype:trojan-activity; sid:4162791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/311;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e311 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,workflow:state="complete",misp-galaxy:sector="Casino"] Outgoing HTTP Hostname quic.flashesplayer.com"; flow:to_server,established; http.header; content: "Host|3a| quic.flashesplayer.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])quic\.flashesplayer\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4162792; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/311;) alert dns any any -> any any (msg: "MISP e311 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,workflow:state="complete",misp-galaxy:sector="Casino"] Hostname archivess.imangoim.net"; dns.query; content:"archivess.imangoim.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])archivess\.imangoim\.net$/i"; classtype:trojan-activity; sid:4162801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/311;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e311 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,workflow:state="complete",misp-galaxy:sector="Casino"] Outgoing HTTP Hostname archivess.imangoim.net"; flow:to_server,established; http.header; content: "Host|3a| archivess.imangoim.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])archivess\.imangoim\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4162802; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/311;) alert ip $HOME_NET any -> 202.182.115.238 any (msg: "MISP e311 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,workflow:state="complete",misp-galaxy:sector="Casino"] Outgoing To IP: 202.182.115.238"; classtype:trojan-activity; sid:4162811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/311;) alert ip $HOME_NET any -> 45.77.47.149 any (msg: "MISP e311 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,workflow:state="complete",misp-galaxy:sector="Casino"] Outgoing To IP: 45.77.47.149"; classtype:trojan-activity; sid:4162831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/311;) alert ip $HOME_NET any -> 45.67.229.148 any (msg: "MISP e314 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:banker="Qakbot",misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:mitre-tool="BloodHound - S0521",misp-galaxy:mitre-tool="AdFind - S0552",misp-galaxy:mitre-intrusion-set="FIN7",misp-galaxy:mitre-tool="cmd",misp-galaxy:financial-fraud="Phishing",misp-galaxy:malpedia="SocksBot",misp-galaxy:malpedia="SystemBC",misp-galaxy:mitre-ics-tactics="Evasion",misp-galaxy:mitre-ics-tactics="Execution",misp-galaxy:mitre-ics-tactics="Initial Access",misp-galaxy:rat="Netsupport Manager",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",workflow:state="complete"] Outgoing To IP: 45.67.229.148"; classtype:trojan-activity; sid:4163011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/314;) alert ip $HOME_NET any -> 45.67.229.148 any (msg: "MISP e314 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:banker="Qakbot",misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:mitre-tool="BloodHound - S0521",misp-galaxy:mitre-tool="AdFind - S0552",misp-galaxy:mitre-intrusion-set="FIN7",misp-galaxy:mitre-tool="cmd",misp-galaxy:financial-fraud="Phishing",misp-galaxy:malpedia="SocksBot",misp-galaxy:malpedia="SystemBC",misp-galaxy:mitre-ics-tactics="Evasion",misp-galaxy:mitre-ics-tactics="Execution",misp-galaxy:mitre-ics-tactics="Initial Access",misp-galaxy:rat="Netsupport Manager",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",workflow:state="complete"] Outgoing To IP: 45.67.229.148"; classtype:trojan-activity; sid:4163231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/314;) alert dns any any -> any any (msg: "MISP e314 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:banker="Qakbot",misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:mitre-tool="BloodHound - S0521",misp-galaxy:mitre-tool="AdFind - S0552",misp-galaxy:mitre-intrusion-set="FIN7",misp-galaxy:mitre-tool="cmd",misp-galaxy:financial-fraud="Phishing",misp-galaxy:malpedia="SocksBot",misp-galaxy:malpedia="SystemBC",misp-galaxy:mitre-ics-tactics="Evasion",misp-galaxy:mitre-ics-tactics="Execution",misp-galaxy:mitre-ics-tactics="Initial Access",misp-galaxy:rat="Netsupport Manager",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",workflow:state="complete"] Domain jardinoks.com"; dns.query; content:"jardinoks.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])jardinoks\.com$/i"; classtype:trojan-activity; sid:4163241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/314;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e314 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:banker="Qakbot",misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:mitre-tool="BloodHound - S0521",misp-galaxy:mitre-tool="AdFind - S0552",misp-galaxy:mitre-intrusion-set="FIN7",misp-galaxy:mitre-tool="cmd",misp-galaxy:financial-fraud="Phishing",misp-galaxy:malpedia="SocksBot",misp-galaxy:malpedia="SystemBC",misp-galaxy:mitre-ics-tactics="Evasion",misp-galaxy:mitre-ics-tactics="Execution",misp-galaxy:mitre-ics-tactics="Initial Access",misp-galaxy:rat="Netsupport Manager",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",workflow:state="complete"] Outgoing HTTP Domain jardinoks.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jardinoks.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jardinoks\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163242; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/314;) alert ip $HOME_NET any -> 43.205.33.202 any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing To IP: 43.205.33.202"; classtype:trojan-activity; sid:4163311; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert ip $HOME_NET any -> 46.246.84.74 any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing To IP: 46.246.84.74"; classtype:trojan-activity; sid:4163321; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert ip $HOME_NET any -> 72.11.142.240 any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing To IP: 72.11.142.240"; classtype:trojan-activity; sid:4163331; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert ip $HOME_NET any -> 178.73.192.17 any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing To IP: 178.73.192.17"; classtype:trojan-activity; sid:4163341; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname banqueislamik.ddrive.online"; dns.query; content:"banqueislamik.ddrive.online"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])banqueislamik\.ddrive\.online$/i"; classtype:trojan-activity; sid:4163351; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname banqueislamik.ddrive.online"; flow:to_server,established; http.header; content: "Host|3a| banqueislamik.ddrive.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])banqueislamik\.ddrive\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163352; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert ip $HOME_NET any -> 46.246.84.17 any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing To IP: 46.246.84.17"; classtype:trojan-activity; sid:4163361; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert ip $HOME_NET any -> 46.246.84.21 any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing To IP: 46.246.84.21"; classtype:trojan-activity; sid:4163371; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname files.ddrive.online"; dns.query; content:"files.ddrive.online"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])files\.ddrive\.online$/i"; classtype:trojan-activity; sid:4163381; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname files.ddrive.online"; flow:to_server,established; http.header; content: "Host|3a| files.ddrive.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])files\.ddrive\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163382; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert ip $HOME_NET any -> 20.91.192.253 any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing To IP: 20.91.192.253"; classtype:trojan-activity; sid:4163391; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert ip $HOME_NET any -> 188.126.90.14 any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing To IP: 188.126.90.14"; classtype:trojan-activity; sid:4163401; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert ip $HOME_NET any -> 176.9.193.5 any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing To IP: 176.9.193.5"; classtype:trojan-activity; sid:4163561; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert ip $HOME_NET any -> 108.62.49.249 any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing To IP: 108.62.49.249"; classtype:trojan-activity; sid:4163571; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert ip $HOME_NET any -> 154.44.177.192 any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing To IP: 154.44.177.192"; classtype:trojan-activity; sid:4163581; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname actu.afrikmedia.info"; dns.query; content:"actu.afrikmedia.info"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])actu\.afrikmedia\.info$/i"; classtype:trojan-activity; sid:4163591; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname actu.afrikmedia.info"; flow:to_server,established; http.header; content: "Host|3a| actu.afrikmedia.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])actu\.afrikmedia\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163592; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname actu.banquealtantique.net"; dns.query; content:"actu.banquealtantique.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])actu\.banquealtantique\.net$/i"; classtype:trojan-activity; sid:4163601; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname actu.banquealtantique.net"; flow:to_server,established; http.header; content: "Host|3a| actu.banquealtantique.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])actu\.banquealtantique\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163602; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname bac.eimaragon.org"; dns.query; content:"bac.eimaragon.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bac\.eimaragon\.org$/i"; classtype:trojan-activity; sid:4163611; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname bac.eimaragon.org"; flow:to_server,established; http.header; content: "Host|3a| bac.eimaragon.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bac\.eimaragon\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163612; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname bac.senegalsante.org"; dns.query; content:"bac.senegalsante.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bac\.senegalsante\.org$/i"; classtype:trojan-activity; sid:4163621; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname bac.senegalsante.org"; flow:to_server,established; http.header; content: "Host|3a| bac.senegalsante.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bac\.senegalsante\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163622; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname blackid-35778.portmap.io"; dns.query; content:"blackid-35778.portmap.io"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])blackid\-35778\.portmap\.io$/i"; classtype:trojan-activity; sid:4163631; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname blackid-35778.portmap.io"; flow:to_server,established; http.header; content: "Host|3a| blackid-35778.portmap.io"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])blackid\-35778\.portmap\.io[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163632; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname boa.eimaragon.org"; dns.query; content:"boa.eimaragon.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])boa\.eimaragon\.org$/i"; classtype:trojan-activity; sid:4163641; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname boa.eimaragon.org"; flow:to_server,established; http.header; content: "Host|3a| boa.eimaragon.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])boa\.eimaragon\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163642; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname bproduction.duckdns.org"; dns.query; content:"bproduction.duckdns.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bproduction\.duckdns\.org$/i"; classtype:trojan-activity; sid:4163651; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname bproduction.duckdns.org"; flow:to_server,established; http.header; content: "Host|3a| bproduction.duckdns.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bproduction\.duckdns\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163652; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname bproduction.zapto.org"; dns.query; content:"bproduction.zapto.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bproduction\.zapto\.org$/i"; classtype:trojan-activity; sid:4163661; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname bproduction.zapto.org"; flow:to_server,established; http.header; content: "Host|3a| bproduction.zapto.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bproduction\.zapto\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163662; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname chance2019.ddns.net"; dns.query; content:"chance2019.ddns.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])chance2019\.ddns\.net$/i"; classtype:trojan-activity; sid:4163671; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname chance2019.ddns.net"; flow:to_server,established; http.header; content: "Host|3a| chance2019.ddns.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])chance2019\.ddns\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163672; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname cnam.myvnc.com"; dns.query; content:"cnam.myvnc.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cnam\.myvnc\.com$/i"; classtype:trojan-activity; sid:4163681; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname cnam.myvnc.com"; flow:to_server,established; http.header; content: "Host|3a| cnam.myvnc.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cnam\.myvnc\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163682; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname cobalt.warii.club"; dns.query; content:"cobalt.warii.club"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cobalt\.warii\.club$/i"; classtype:trojan-activity; sid:4163691; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname cobalt.warii.club"; flow:to_server,established; http.header; content: "Host|3a| cobalt.warii.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cobalt\.warii\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163692; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname contact.senegalsante.org"; dns.query; content:"contact.senegalsante.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])contact\.senegalsante\.org$/i"; classtype:trojan-activity; sid:4163701; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname contact.senegalsante.org"; flow:to_server,established; http.header; content: "Host|3a| contact.senegalsante.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])contact\.senegalsante\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163702; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname download.nortonupdate.com"; dns.query; content:"download.nortonupdate.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])download\.nortonupdate\.com$/i"; classtype:trojan-activity; sid:4163711; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname download.nortonupdate.com"; flow:to_server,established; http.header; content: "Host|3a| download.nortonupdate.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])download\.nortonupdate\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163712; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname driver.eimaragon.org"; dns.query; content:"driver.eimaragon.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])driver\.eimaragon\.org$/i"; classtype:trojan-activity; sid:4163721; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname driver.eimaragon.org"; flow:to_server,established; http.header; content: "Host|3a| driver.eimaragon.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])driver\.eimaragon\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163722; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname fuck90.duckdns.org"; dns.query; content:"fuck90.duckdns.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])fuck90\.duckdns\.org$/i"; classtype:trojan-activity; sid:4163731; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname fuck90.duckdns.org"; flow:to_server,established; http.header; content: "Host|3a| fuck90.duckdns.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])fuck90\.duckdns\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163732; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname hunterx1-37009.portmap.io"; dns.query; content:"hunterx1-37009.portmap.io"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])hunterx1\-37009\.portmap\.io$/i"; classtype:trojan-activity; sid:4163741; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname hunterx1-37009.portmap.io"; flow:to_server,established; http.header; content: "Host|3a| hunterx1-37009.portmap.io"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])hunterx1\-37009\.portmap\.io[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163742; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname info.senegalsante.org"; dns.query; content:"info.senegalsante.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])info\.senegalsante\.org$/i"; classtype:trojan-activity; sid:4163751; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname info.senegalsante.org"; flow:to_server,established; http.header; content: "Host|3a| info.senegalsante.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])info\.senegalsante\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163752; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Domain kaspersky-lab.org"; dns.query; content:"kaspersky-lab.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])kaspersky\-lab\.org$/i"; classtype:trojan-activity; sid:4163761; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Domain kaspersky-lab.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kaspersky-lab.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kaspersky\-lab\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163762; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Domain mcafee-endpoint.com"; dns.query; content:"mcafee-endpoint.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mcafee\-endpoint\.com$/i"; classtype:trojan-activity; sid:4163771; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Domain mcafee-endpoint.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mcafee-endpoint.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mcafee\-endpoint\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163772; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Domain microsoft-af.com"; dns.query; content:"microsoft-af.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])microsoft\-af\.com$/i"; classtype:trojan-activity; sid:4163781; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Domain microsoft-af.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"microsoft-af.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])microsoft\-af\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163782; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname news.banquealtantique.net"; dns.query; content:"news.banquealtantique.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])news\.banquealtantique\.net$/i"; classtype:trojan-activity; sid:4163791; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname news.banquealtantique.net"; flow:to_server,established; http.header; content: "Host|3a| news.banquealtantique.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])news\.banquealtantique\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163792; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname news.coris-bank.fr"; dns.query; content:"news.coris-bank.fr"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])news\.coris\-bank\.fr$/i"; classtype:trojan-activity; sid:4163801; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname news.coris-bank.fr"; flow:to_server,established; http.header; content: "Host|3a| news.coris-bank.fr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])news\.coris\-bank\.fr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163802; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname noreplyrobot.duckdns.org"; dns.query; content:"noreplyrobot.duckdns.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])noreplyrobot\.duckdns\.org$/i"; classtype:trojan-activity; sid:4163811; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname noreplyrobot.duckdns.org"; flow:to_server,established; http.header; content: "Host|3a| noreplyrobot.duckdns.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])noreplyrobot\.duckdns\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163812; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname operan.ddns.net"; dns.query; content:"operan.ddns.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])operan\.ddns\.net$/i"; classtype:trojan-activity; sid:4163821; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname operan.ddns.net"; flow:to_server,established; http.header; content: "Host|3a| operan.ddns.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])operan\.ddns\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163822; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname personnels.bdm-sa.fr"; dns.query; content:"personnels.bdm-sa.fr"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])personnels\.bdm\-sa\.fr$/i"; classtype:trojan-activity; sid:4163831; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname personnels.bdm-sa.fr"; flow:to_server,established; http.header; content: "Host|3a| personnels.bdm-sa.fr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])personnels\.bdm\-sa\.fr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163832; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname serveur1.hopto.org"; dns.query; content:"serveur1.hopto.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])serveur1\.hopto\.org$/i"; classtype:trojan-activity; sid:4163841; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname serveur1.hopto.org"; flow:to_server,established; http.header; content: "Host|3a| serveur1.hopto.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])serveur1\.hopto\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163842; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname update.mcafee-endpoint.com"; dns.query; content:"update.mcafee-endpoint.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])update\.mcafee\-endpoint\.com$/i"; classtype:trojan-activity; sid:4163851; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname update.mcafee-endpoint.com"; flow:to_server,established; http.header; content: "Host|3a| update.mcafee-endpoint.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])update\.mcafee\-endpoint\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163852; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname update.microsoft-af.com"; dns.query; content:"update.microsoft-af.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])update\.microsoft\-af\.com$/i"; classtype:trojan-activity; sid:4163861; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname update.microsoft-af.com"; flow:to_server,established; http.header; content: "Host|3a| update.microsoft-af.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])update\.microsoft\-af\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163862; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname update.kaspersky-lab.org"; dns.query; content:"update.kaspersky-lab.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])update\.kaspersky\-lab\.org$/i"; classtype:trojan-activity; sid:4163871; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname update.kaspersky-lab.org"; flow:to_server,established; http.header; content: "Host|3a| update.kaspersky-lab.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])update\.kaspersky\-lab\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163872; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname windowsupdaters.zapto.org"; dns.query; content:"windowsupdaters.zapto.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])windowsupdaters\.zapto\.org$/i"; classtype:trojan-activity; sid:4163881; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname windowsupdaters.zapto.org"; flow:to_server,established; http.header; content: "Host|3a| windowsupdaters.zapto.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])windowsupdaters\.zapto\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163882; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname windowsupgraders.ddns.net"; dns.query; content:"windowsupgraders.ddns.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])windowsupgraders\.ddns\.net$/i"; classtype:trojan-activity; sid:4163891; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname windowsupgraders.ddns.net"; flow:to_server,established; http.header; content: "Host|3a| windowsupgraders.ddns.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])windowsupgraders\.ddns\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163892; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname winsec.ddns.net"; dns.query; content:"winsec.ddns.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])winsec\.ddns\.net$/i"; classtype:trojan-activity; sid:4163901; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname winsec.ddns.net"; flow:to_server,established; http.header; content: "Host|3a| winsec.ddns.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])winsec\.ddns\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163902; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname winsec.senegalsante.org"; dns.query; content:"winsec.senegalsante.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])winsec\.senegalsante\.org$/i"; classtype:trojan-activity; sid:4163911; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname winsec.senegalsante.org"; flow:to_server,established; http.header; content: "Host|3a| winsec.senegalsante.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])winsec\.senegalsante\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163912; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname winsec.warii.club"; dns.query; content:"winsec.warii.club"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])winsec\.warii\.club$/i"; classtype:trojan-activity; sid:4163921; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname winsec.warii.club"; flow:to_server,established; http.header; content: "Host|3a| winsec.warii.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])winsec\.warii\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163922; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Hostname wsus.microsoft-af.com"; dns.query; content:"wsus.microsoft-af.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])wsus\.microsoft\-af\.com$/i"; classtype:trojan-activity; sid:4163931; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e316 [misp-galaxy:sector="Finance",misp-galaxy:sector="Telecoms",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Hostname wsus.microsoft-af.com"; flow:to_server,established; http.header; content: "Host|3a| wsus.microsoft-af.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])wsus\.microsoft\-af\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4163932; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/316;) alert dns any any -> any any (msg: "MISP e319 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011",misp-galaxy:mitre-attack-pattern="Invalid Code Signature - T1036.001",misp-galaxy:mitre-attack-pattern="Hijack Execution Flow - T1574",misp-galaxy:country="philippines",workflow:state="complete"] Hostname closed.theworkpc.com"; dns.query; content:"closed.theworkpc.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])closed\.theworkpc\.com$/i"; classtype:trojan-activity; sid:4166161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/319;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e319 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091",misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011",misp-galaxy:mitre-attack-pattern="Invalid Code Signature - T1036.001",misp-galaxy:mitre-attack-pattern="Hijack Execution Flow - T1574",misp-galaxy:country="philippines",workflow:state="complete"] Outgoing HTTP Hostname closed.theworkpc.com"; flow:to_server,established; http.header; content: "Host|3a| closed.theworkpc.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])closed\.theworkpc\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4166162; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/319;) alert ip $HOME_NET any -> 5.8.95.174 any (msg: "MISP e321 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:mitre-attack-pattern="Component Object Model - T1559.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:target-information="Japan",misp-galaxy:malpedia="LODEINFO",workflow:state="complete"] Outgoing To IP: 5.8.95.174"; classtype:trojan-activity; sid:4167541; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/321;) alert ip $HOME_NET any -> 45.32.13.180 any (msg: "MISP e321 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:mitre-attack-pattern="Component Object Model - T1559.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:target-information="Japan",misp-galaxy:malpedia="LODEINFO",workflow:state="complete"] Outgoing To IP: 45.32.13.180"; classtype:trojan-activity; sid:4167551; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/321;) alert ip $HOME_NET any -> 103.175.16.39 any (msg: "MISP e321 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:mitre-attack-pattern="Component Object Model - T1559.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:target-information="Japan",misp-galaxy:malpedia="LODEINFO",workflow:state="complete"] Outgoing To IP: 103.175.16.39"; classtype:trojan-activity; sid:4167561; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/321;) alert dns any any -> any any (msg: "MISP e321 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:mitre-attack-pattern="Component Object Model - T1559.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:target-information="Japan",misp-galaxy:malpedia="LODEINFO",workflow:state="complete"] Hostname www.ninesmn.com"; dns.query; content:"www.ninesmn.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.ninesmn\.com$/i"; classtype:trojan-activity; sid:4167591; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/321;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e321 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:mitre-attack-pattern="Component Object Model - T1559.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:target-information="Japan",misp-galaxy:malpedia="LODEINFO",workflow:state="complete"] Outgoing HTTP Hostname www.ninesmn.com"; flow:to_server,established; http.header; content: "Host|3a| www.ninesmn.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.ninesmn\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4167592; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/321;) alert ip $HOME_NET any -> 167.179.116.56 any (msg: "MISP e321 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:mitre-attack-pattern="Component Object Model - T1559.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:target-information="Japan",misp-galaxy:malpedia="LODEINFO",workflow:state="complete"] Outgoing To IP: 167.179.116.56"; classtype:trojan-activity; sid:4167601; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/321;) alert dns any any -> any any (msg: "MISP e321 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:mitre-attack-pattern="Component Object Model - T1559.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:target-information="Japan",misp-galaxy:malpedia="LODEINFO",workflow:state="complete"] Hostname www.aesorunwe.com"; dns.query; content:"www.aesorunwe.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.aesorunwe\.com$/i"; classtype:trojan-activity; sid:4167611; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/321;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e321 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:mitre-attack-pattern="Component Object Model - T1559.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:target-information="Japan",misp-galaxy:malpedia="LODEINFO",workflow:state="complete"] Outgoing HTTP Hostname www.aesorunwe.com"; flow:to_server,established; http.header; content: "Host|3a| www.aesorunwe.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.aesorunwe\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4167612; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/321;) alert ip $HOME_NET any -> 172.105.217.233 any (msg: "MISP e321 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:mitre-attack-pattern="Component Object Model - T1559.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Native API - T1106",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:target-information="Japan",misp-galaxy:malpedia="LODEINFO",workflow:state="complete"] Outgoing To IP: 172.105.217.233"; classtype:trojan-activity; sid:4167621; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/321;) alert dns any any -> any any (msg: "MISP e323 [misp-galaxy:malpedia="Andromeda",misp-galaxy:malpedia="KopiLuwak",tlp:white,misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003",misp-galaxy:mitre-attack-pattern="Modify Registry - T1112",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Query Registry - T1012",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001",misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002",misp-galaxy:mitre-attack-pattern="Compromise Infrastructure - T1584",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Install Digital Certificate - T1608.003",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Shutdown/Reboot - T1529",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-intrusion-set="Turla - G0010"] Hostname manager.surro.am"; dns.query; content:"manager.surro.am"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])manager\.surro\.am$/i"; classtype:trojan-activity; sid:4167771; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/323;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e323 [misp-galaxy:malpedia="Andromeda",misp-galaxy:malpedia="KopiLuwak",tlp:white,misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003",misp-galaxy:mitre-attack-pattern="Modify Registry - T1112",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Query Registry - T1012",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001",misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002",misp-galaxy:mitre-attack-pattern="Compromise Infrastructure - T1584",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Install Digital Certificate - T1608.003",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Shutdown/Reboot - T1529",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-intrusion-set="Turla - G0010"] Outgoing HTTP Hostname manager.surro.am"; flow:to_server,established; http.header; content: "Host|3a| manager.surro.am"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])manager\.surro\.am[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4167772; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/323;) alert ip $HOME_NET any -> 194.67.209.186 443 (msg: "MISP e323 [misp-galaxy:malpedia="Andromeda",misp-galaxy:malpedia="KopiLuwak",tlp:white,misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003",misp-galaxy:mitre-attack-pattern="Modify Registry - T1112",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Query Registry - T1012",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001",misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002",misp-galaxy:mitre-attack-pattern="Compromise Infrastructure - T1584",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Install Digital Certificate - T1608.003",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Shutdown/Reboot - T1529",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-intrusion-set="Turla - G0010"] Outgoing To IP: 194.67.209.186|443"; classtype:trojan-activity; sid:4167991; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/323;) alert dns any any -> any any (msg: "MISP e323 [misp-galaxy:malpedia="Andromeda",misp-galaxy:malpedia="KopiLuwak",tlp:white,misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003",misp-galaxy:mitre-attack-pattern="Modify Registry - T1112",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Query Registry - T1012",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001",misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002",misp-galaxy:mitre-attack-pattern="Compromise Infrastructure - T1584",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Install Digital Certificate - T1608.003",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Shutdown/Reboot - T1529",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-intrusion-set="Turla - G0010"] Domain anam0rph.su"; dns.query; content:"anam0rph.su"; nocase; pcre: "/(^|[^A-Za-z0-9-])anam0rph\.su$/i"; classtype:trojan-activity; sid:4167881; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/323;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e323 [misp-galaxy:malpedia="Andromeda",misp-galaxy:malpedia="KopiLuwak",tlp:white,misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003",misp-galaxy:mitre-attack-pattern="Modify Registry - T1112",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Query Registry - T1012",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001",misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002",misp-galaxy:mitre-attack-pattern="Compromise Infrastructure - T1584",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Install Digital Certificate - T1608.003",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Shutdown/Reboot - T1529",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-intrusion-set="Turla - G0010"] Outgoing HTTP Domain anam0rph.su"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"anam0rph.su"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])anam0rph\.su[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4167882; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/323;) alert ip $HOME_NET any -> 212.114.52.24 any (msg: "MISP e323 [misp-galaxy:malpedia="Andromeda",misp-galaxy:malpedia="KopiLuwak",tlp:white,misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003",misp-galaxy:mitre-attack-pattern="Modify Registry - T1112",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Query Registry - T1012",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001",misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002",misp-galaxy:mitre-attack-pattern="Compromise Infrastructure - T1584",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Install Digital Certificate - T1608.003",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Shutdown/Reboot - T1529",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-intrusion-set="Turla - G0010"] Outgoing To IP: 212.114.52.24"; classtype:trojan-activity; sid:4167891; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/323;) alert dns any any -> any any (msg: "MISP e323 [misp-galaxy:malpedia="Andromeda",misp-galaxy:malpedia="KopiLuwak",tlp:white,misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003",misp-galaxy:mitre-attack-pattern="Modify Registry - T1112",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Query Registry - T1012",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001",misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002",misp-galaxy:mitre-attack-pattern="Compromise Infrastructure - T1584",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Install Digital Certificate - T1608.003",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Shutdown/Reboot - T1529",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-intrusion-set="Turla - G0010"] Hostname yelprope.cloudns.cl"; dns.query; content:"yelprope.cloudns.cl"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])yelprope\.cloudns\.cl$/i"; classtype:trojan-activity; sid:4167911; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/323;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e323 [misp-galaxy:malpedia="Andromeda",misp-galaxy:malpedia="KopiLuwak",tlp:white,misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003",misp-galaxy:mitre-attack-pattern="Modify Registry - T1112",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Query Registry - T1012",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001",misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002",misp-galaxy:mitre-attack-pattern="Compromise Infrastructure - T1584",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Install Digital Certificate - T1608.003",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Shutdown/Reboot - T1529",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-intrusion-set="Turla - G0010"] Outgoing HTTP Hostname yelprope.cloudns.cl"; flow:to_server,established; http.header; content: "Host|3a| yelprope.cloudns.cl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])yelprope\.cloudns\.cl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4167912; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/323;) alert ip $HOME_NET any -> 212.114.52.24 any (msg: "MISP e323 [misp-galaxy:malpedia="Andromeda",misp-galaxy:malpedia="KopiLuwak",tlp:white,misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003",misp-galaxy:mitre-attack-pattern="Modify Registry - T1112",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Query Registry - T1012",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001",misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002",misp-galaxy:mitre-attack-pattern="Compromise Infrastructure - T1584",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Install Digital Certificate - T1608.003",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Shutdown/Reboot - T1529",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-intrusion-set="Turla - G0010"] Outgoing To IP: 212.114.52.24"; classtype:trojan-activity; sid:4167921; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/323;) alert dns any any -> any any (msg: "MISP e323 [misp-galaxy:malpedia="Andromeda",misp-galaxy:malpedia="KopiLuwak",tlp:white,misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003",misp-galaxy:mitre-attack-pattern="Modify Registry - T1112",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Query Registry - T1012",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001",misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002",misp-galaxy:mitre-attack-pattern="Compromise Infrastructure - T1584",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Install Digital Certificate - T1608.003",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Shutdown/Reboot - T1529",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-intrusion-set="Turla - G0010"] Domain suckmycocklameavindustry.in"; dns.query; content:"suckmycocklameavindustry.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])suckmycocklameavindustry\.in$/i"; classtype:trojan-activity; sid:4167941; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/323;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e323 [misp-galaxy:malpedia="Andromeda",misp-galaxy:malpedia="KopiLuwak",tlp:white,misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003",misp-galaxy:mitre-attack-pattern="Modify Registry - T1112",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Query Registry - T1012",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001",misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002",misp-galaxy:mitre-attack-pattern="Compromise Infrastructure - T1584",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Install Digital Certificate - T1608.003",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Shutdown/Reboot - T1529",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-intrusion-set="Turla - G0010"] Outgoing HTTP Domain suckmycocklameavindustry.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"suckmycocklameavindustry.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])suckmycocklameavindustry\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4167942; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/323;) alert ip $HOME_NET any -> 35.205.61.67 any (msg: "MISP e323 [misp-galaxy:malpedia="Andromeda",misp-galaxy:malpedia="KopiLuwak",tlp:white,misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003",misp-galaxy:mitre-attack-pattern="Modify Registry - T1112",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Query Registry - T1012",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560",misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001",misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002",misp-galaxy:mitre-attack-pattern="Compromise Infrastructure - T1584",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Install Digital Certificate - T1608.003",misp-galaxy:mitre-attack-pattern="Software Discovery - T1518",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Shutdown/Reboot - T1529",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-intrusion-set="Turla - G0010"] Outgoing To IP: 35.205.61.67"; classtype:trojan-activity; sid:4167951; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/323;) alert dns any any -> any any (msg: "MISP e324 [misp-galaxy:rat="AnyDesk",misp-galaxy:mitre-tool="ConnectWise - S0591",misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="User Execution - T1204",tlp:white] Domain win03.xyz"; dns.query; content:"win03.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])win03\.xyz$/i"; classtype:trojan-activity; sid:4168021; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/324;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e324 [misp-galaxy:rat="AnyDesk",misp-galaxy:mitre-tool="ConnectWise - S0591",misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="User Execution - T1204",tlp:white] Outgoing HTTP Domain win03.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"win03.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])win03\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4168022; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/324;) alert dns any any -> any any (msg: "MISP e324 [misp-galaxy:rat="AnyDesk",misp-galaxy:mitre-tool="ConnectWise - S0591",misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="User Execution - T1204",tlp:white] Domain myhelpcare.online"; dns.query; content:"myhelpcare.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])myhelpcare\.online$/i"; classtype:trojan-activity; sid:4168031; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/324;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e324 [misp-galaxy:rat="AnyDesk",misp-galaxy:mitre-tool="ConnectWise - S0591",misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="User Execution - T1204",tlp:white] Outgoing HTTP Domain myhelpcare.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"myhelpcare.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])myhelpcare\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4168032; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/324;) alert dns any any -> any any (msg: "MISP e324 [misp-galaxy:rat="AnyDesk",misp-galaxy:mitre-tool="ConnectWise - S0591",misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="User Execution - T1204",tlp:white] Domain win01.xyz"; dns.query; content:"win01.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])win01\.xyz$/i"; classtype:trojan-activity; sid:4168041; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/324;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e324 [misp-galaxy:rat="AnyDesk",misp-galaxy:mitre-tool="ConnectWise - S0591",misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="User Execution - T1204",tlp:white] Outgoing HTTP Domain win01.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"win01.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])win01\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4168042; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/324;) alert dns any any -> any any (msg: "MISP e324 [misp-galaxy:rat="AnyDesk",misp-galaxy:mitre-tool="ConnectWise - S0591",misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="User Execution - T1204",tlp:white] Domain myhelpcare.cc"; dns.query; content:"myhelpcare.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-])myhelpcare\.cc$/i"; classtype:trojan-activity; sid:4168051; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/324;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e324 [misp-galaxy:rat="AnyDesk",misp-galaxy:mitre-tool="ConnectWise - S0591",misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="User Execution - T1204",tlp:white] Outgoing HTTP Domain myhelpcare.cc"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"myhelpcare.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])myhelpcare\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4168052; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/324;) alert dns any any -> any any (msg: "MISP e324 [misp-galaxy:rat="AnyDesk",misp-galaxy:mitre-tool="ConnectWise - S0591",misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="User Execution - T1204",tlp:white] Domain 247secure.us"; dns.query; content:"247secure.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])247secure\.us$/i"; classtype:trojan-activity; sid:4168061; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/324;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e324 [misp-galaxy:rat="AnyDesk",misp-galaxy:mitre-tool="ConnectWise - S0591",misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="User Execution - T1204",tlp:white] Outgoing HTTP Domain 247secure.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"247secure.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])247secure\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4168062; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/324;) alert dns any any -> any any (msg: "MISP e324 [misp-galaxy:rat="AnyDesk",misp-galaxy:mitre-tool="ConnectWise - S0591",misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="User Execution - T1204",tlp:white] Domain hservice.live"; dns.query; content:"hservice.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])hservice\.live$/i"; classtype:trojan-activity; sid:4168071; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/324;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e324 [misp-galaxy:rat="AnyDesk",misp-galaxy:mitre-tool="ConnectWise - S0591",misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="User Execution - T1204",tlp:white] Outgoing HTTP Domain hservice.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hservice.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hservice\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4168072; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/324;) alert dns any any -> any any (msg: "MISP e324 [misp-galaxy:rat="AnyDesk",misp-galaxy:mitre-tool="ConnectWise - S0591",misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="User Execution - T1204",tlp:white] Domain gscare.live"; dns.query; content:"gscare.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])gscare\.live$/i"; classtype:trojan-activity; sid:4168081; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/324;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e324 [misp-galaxy:rat="AnyDesk",misp-galaxy:mitre-tool="ConnectWise - S0591",misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="User Execution - T1204",tlp:white] Outgoing HTTP Domain gscare.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gscare.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gscare\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4168082; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/324;) alert dns any any -> any any (msg: "MISP e324 [misp-galaxy:rat="AnyDesk",misp-galaxy:mitre-tool="ConnectWise - S0591",misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="User Execution - T1204",tlp:white] Domain nhelpcare.info"; dns.query; content:"nhelpcare.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])nhelpcare\.info$/i"; classtype:trojan-activity; sid:4168091; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/324;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e324 [misp-galaxy:rat="AnyDesk",misp-galaxy:mitre-tool="ConnectWise - S0591",misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="User Execution - T1204",tlp:white] Outgoing HTTP Domain nhelpcare.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nhelpcare.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nhelpcare\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4168092; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/324;) alert dns any any -> any any (msg: "MISP e324 [misp-galaxy:rat="AnyDesk",misp-galaxy:mitre-tool="ConnectWise - S0591",misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="User Execution - T1204",tlp:white] Domain deskcareme.live"; dns.query; content:"deskcareme.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])deskcareme\.live$/i"; classtype:trojan-activity; sid:4168101; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/324;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e324 [misp-galaxy:rat="AnyDesk",misp-galaxy:mitre-tool="ConnectWise - S0591",misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="User Execution - T1204",tlp:white] Outgoing HTTP Domain deskcareme.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"deskcareme.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])deskcareme\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4168102; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/324;) alert dns any any -> any any (msg: "MISP e324 [misp-galaxy:rat="AnyDesk",misp-galaxy:mitre-tool="ConnectWise - S0591",misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="User Execution - T1204",tlp:white] Domain nhelpcare.cc"; dns.query; content:"nhelpcare.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-])nhelpcare\.cc$/i"; classtype:trojan-activity; sid:4168111; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/324;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e324 [misp-galaxy:rat="AnyDesk",misp-galaxy:mitre-tool="ConnectWise - S0591",misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020",misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="User Execution - T1204",tlp:white] Outgoing HTTP Domain nhelpcare.cc"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nhelpcare.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nhelpcare\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4168112; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/324;) alert dns any any -> any any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Domain denterdrigx.com"; dns.query; content:"denterdrigx.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])denterdrigx\.com$/i"; classtype:trojan-activity; sid:4170611; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing HTTP Domain denterdrigx.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"denterdrigx.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])denterdrigx\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4170612; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert dns any any -> any any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Domain superliner.top"; dns.query; content:"superliner.top"; nocase; pcre: "/(^|[^A-Za-z0-9-])superliner\.top$/i"; classtype:trojan-activity; sid:4170621; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing HTTP Domain superliner.top"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"superliner.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])superliner\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4170622; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert dns any any -> any any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Domain internetlines.in"; dns.query; content:"internetlines.in"; nocase; pcre: "/(^|[^A-Za-z0-9-])internetlines\.in$/i"; classtype:trojan-activity; sid:4170631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing HTTP Domain internetlines.in"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"internetlines.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])internetlines\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4170632; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert dns any any -> any any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Domain superstarts.top"; dns.query; content:"superstarts.top"; nocase; pcre: "/(^|[^A-Za-z0-9-])superstarts\.top$/i"; classtype:trojan-activity; sid:4170641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing HTTP Domain superstarts.top"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"superstarts.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])superstarts\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4170642; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert dns any any -> any any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Domain superlinez.top"; dns.query; content:"superlinez.top"; nocase; pcre: "/(^|[^A-Za-z0-9-])superlinez\.top$/i"; classtype:trojan-activity; sid:4170651; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing HTTP Domain superlinez.top"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"superlinez.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])superlinez\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4170652; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert dns any any -> any any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Domain internetlined.com"; dns.query; content:"internetlined.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])internetlined\.com$/i"; classtype:trojan-activity; sid:4170661; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing HTTP Domain internetlined.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"internetlined.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])internetlined\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4170662; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 62.173.149.7 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 62.173.149.7"; classtype:trojan-activity; sid:4170671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 31.41.44.97 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 31.41.44.97"; classtype:trojan-activity; sid:4170681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 5.42.199.83 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 5.42.199.83"; classtype:trojan-activity; sid:4170691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 31.41.44.27 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 31.41.44.27"; classtype:trojan-activity; sid:4170701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 208.91.197.91 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 208.91.197.91"; classtype:trojan-activity; sid:4170711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 187.190.48.135 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 187.190.48.135"; classtype:trojan-activity; sid:4170721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 210.92.250.133 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 210.92.250.133"; classtype:trojan-activity; sid:4170731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 189.143.170.233 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 189.143.170.233"; classtype:trojan-activity; sid:4170741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 201.103.222.246 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 201.103.222.246"; classtype:trojan-activity; sid:4170751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 151.251.24.5 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 151.251.24.5"; classtype:trojan-activity; sid:4170761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 190.147.189.122 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 190.147.189.122"; classtype:trojan-activity; sid:4170771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 115.88.24.202 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 115.88.24.202"; classtype:trojan-activity; sid:4170781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 211.40.39.251 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 211.40.39.251"; classtype:trojan-activity; sid:4170791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 187.195.146.2 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 187.195.146.2"; classtype:trojan-activity; sid:4170801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 186.182.55.44 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 186.182.55.44"; classtype:trojan-activity; sid:4170811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 222.232.238.243 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 222.232.238.243"; classtype:trojan-activity; sid:4170821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 211.119.84.111 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 211.119.84.111"; classtype:trojan-activity; sid:4170831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 51.211.212.188 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 51.211.212.188"; classtype:trojan-activity; sid:4170841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 203.91.116.53 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 203.91.116.53"; classtype:trojan-activity; sid:4170851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 115.88.24.203 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 115.88.24.203"; classtype:trojan-activity; sid:4170861; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 190.117.75.91 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 190.117.75.91"; classtype:trojan-activity; sid:4170871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 181.197.121.228 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 181.197.121.228"; classtype:trojan-activity; sid:4170881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 190.167.61.79 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 190.167.61.79"; classtype:trojan-activity; sid:4170891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 109.102.255.230 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 109.102.255.230"; classtype:trojan-activity; sid:4170901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 211.119.84.112 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 211.119.84.112"; classtype:trojan-activity; sid:4170911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 190.107.133.19 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 190.107.133.19"; classtype:trojan-activity; sid:4170921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 185.95.186.58 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 185.95.186.58"; classtype:trojan-activity; sid:4170931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 175.120.254.9 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 175.120.254.9"; classtype:trojan-activity; sid:4170941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 46.194.108.30 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 46.194.108.30"; classtype:trojan-activity; sid:4170951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 190.225.159.63 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 190.225.159.63"; classtype:trojan-activity; sid:4170961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 190.140.74.43 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 190.140.74.43"; classtype:trojan-activity; sid:4170971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 187.156.56.52 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 187.156.56.52"; classtype:trojan-activity; sid:4170981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 195.158.3.162 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 195.158.3.162"; classtype:trojan-activity; sid:4170991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 138.36.3.134 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 138.36.3.134"; classtype:trojan-activity; sid:4171001; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 109.98.58.98 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 109.98.58.98"; classtype:trojan-activity; sid:4171011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 24.232.210.245 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 24.232.210.245"; classtype:trojan-activity; sid:4171021; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 222.236.49.123 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 222.236.49.123"; classtype:trojan-activity; sid:4171031; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 175.126.109.15 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 175.126.109.15"; classtype:trojan-activity; sid:4171041; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 124.109.61.160 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 124.109.61.160"; classtype:trojan-activity; sid:4171051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 95.107.163.44 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 95.107.163.44"; classtype:trojan-activity; sid:4171061; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 93.152.141.65 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 93.152.141.65"; classtype:trojan-activity; sid:4171071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 5.204.145.65 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 5.204.145.65"; classtype:trojan-activity; sid:4171081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 116.121.62.237 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 116.121.62.237"; classtype:trojan-activity; sid:4171091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 31.166.129.162 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 31.166.129.162"; classtype:trojan-activity; sid:4171101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 222.236.49.124 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 222.236.49.124"; classtype:trojan-activity; sid:4171111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 211.171.233.129 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 211.171.233.129"; classtype:trojan-activity; sid:4171121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 211.171.233.126 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 211.171.233.126"; classtype:trojan-activity; sid:4171131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 211.53.230.67 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 211.53.230.67"; classtype:trojan-activity; sid:4171141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 196.200.111.5 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 196.200.111.5"; classtype:trojan-activity; sid:4171151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 190.219.54.242 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 190.219.54.242"; classtype:trojan-activity; sid:4171161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 190.167.100.154 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 190.167.100.154"; classtype:trojan-activity; sid:4171171; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 110.14.121.125 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 110.14.121.125"; classtype:trojan-activity; sid:4171181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 58.235.189.192 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 58.235.189.192"; classtype:trojan-activity; sid:4171191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 37.34.248.24 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 37.34.248.24"; classtype:trojan-activity; sid:4171201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 110.14.121.123 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 110.14.121.123"; classtype:trojan-activity; sid:4171211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 179.53.93.16 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 179.53.93.16"; classtype:trojan-activity; sid:4171221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 175.119.10.231 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 175.119.10.231"; classtype:trojan-activity; sid:4171231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 211.59.14.90 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 211.59.14.90"; classtype:trojan-activity; sid:4171241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 188.48.64.249 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 188.48.64.249"; classtype:trojan-activity; sid:4171251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 187.232.150.225 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 187.232.150.225"; classtype:trojan-activity; sid:4171261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 186.7.85.71 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 186.7.85.71"; classtype:trojan-activity; sid:4171271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 148.255.20.4 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 148.255.20.4"; classtype:trojan-activity; sid:4171281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 91.139.196.113 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 91.139.196.113"; classtype:trojan-activity; sid:4171291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 41.41.255.235 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 41.41.255.235"; classtype:trojan-activity; sid:4171301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 31.167.236.174 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 31.167.236.174"; classtype:trojan-activity; sid:4171311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 189.165.2.131 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 189.165.2.131"; classtype:trojan-activity; sid:4171321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 1.248.122.240 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 1.248.122.240"; classtype:trojan-activity; sid:4171331; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 193.106.191.186 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 193.106.191.186"; classtype:trojan-activity; sid:4171341; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert ip $HOME_NET any -> 193.201.9.199 any (msg: "MISP e325 [misp:tool="misp-scraper",osint:source-type="blog-post",misp:event-type="collection",tlp:white,misp-galaxy:malpedia="Cobalt Strike",misp-galaxy:banker="Gozi",misp-galaxy:mitre-attack-pattern="DNS - T1071.004",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007",misp-galaxy:mitre-attack-pattern="VNC - T1021.005",misp-galaxy:mitre-attack-pattern="Software - T1592.002",misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002",misp-galaxy:mitre-attack-pattern="Tool - T1588.002",misp-galaxy:mitre-malware="Ursnif - S0386",misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004",misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197",misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004",misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555",misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002",misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001",misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001",misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033",misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"] Outgoing To IP: 193.201.9.199"; classtype:trojan-activity; sid:4171351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/325;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e326 [misp-galaxy:banker="IcedID",misp-galaxy:malpedia="IcedID",tlp:white] Outgoing URL https|3a|//firebasestorage.googleapis.com/v0/b/hardy-city-377704.appspot.com/o/B3WPGiNEK2%2FSetup_Win_13-02-2023_16-33-16.zip?alt=media&token=ea9a5843-8216-4883-b45b-d0af1a1d80c8"; tls.sni; content:"firebasestorage.googleapis.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4172601; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/326;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e326 [misp-galaxy:banker="IcedID",misp-galaxy:malpedia="IcedID",tlp:white] Outgoing URL https|3a|//microsofteamsus.top/en-us/teams/download-app/"; tls.sni; content:"microsofteamsus.top"; tag:session,600,seconds; classtype:trojan-activity; sid:4172581; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/326;) alert ip $HOME_NET any -> 85.193.93.125 any (msg: "MISP e326 [misp-galaxy:banker="IcedID",misp-galaxy:malpedia="IcedID",tlp:white] Outgoing To IP: 85.193.93.125"; classtype:trojan-activity; sid:4172591; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/326;) alert ip $HOME_NET any -> 45.61.139.138 any (msg: "MISP e326 [misp-galaxy:banker="IcedID",misp-galaxy:malpedia="IcedID",tlp:white] Outgoing To IP: 45.61.139.138"; classtype:trojan-activity; sid:4172631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/326;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e326 [misp-galaxy:banker="IcedID",misp-galaxy:malpedia="IcedID",tlp:white] Outgoing URL http|3a|//alishabrindeader.com"; flow:to_server,established; http.header; content:"alishabrindeader.com"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4172641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/326;) alert ip $HOME_NET any -> 192.3.76.227 any (msg: "MISP e326 [misp-galaxy:banker="IcedID",misp-galaxy:malpedia="IcedID",tlp:white] Outgoing To IP: 192.3.76.227"; classtype:trojan-activity; sid:4172701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/326;) alert dns any any -> any any (msg: "MISP e326 [misp-galaxy:banker="IcedID",misp-galaxy:malpedia="IcedID",tlp:white] Domain qonavlecher.com"; dns.query; content:"qonavlecher.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])qonavlecher\.com$/i"; classtype:trojan-activity; sid:4172711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/326;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e326 [misp-galaxy:banker="IcedID",misp-galaxy:malpedia="IcedID",tlp:white] Outgoing HTTP Domain qonavlecher.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"qonavlecher.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])qonavlecher\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4172712; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/326;) alert dns any any -> any any (msg: "MISP e326 [misp-galaxy:banker="IcedID",misp-galaxy:malpedia="IcedID",tlp:white] Domain treylercompandium.com"; dns.query; content:"treylercompandium.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])treylercompandium\.com$/i"; classtype:trojan-activity; sid:4172721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/326;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e326 [misp-galaxy:banker="IcedID",misp-galaxy:malpedia="IcedID",tlp:white] Outgoing HTTP Domain treylercompandium.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"treylercompandium.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])treylercompandium\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4172722; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/326;) alert dns any any -> any any (msg: "MISP e326 [misp-galaxy:banker="IcedID",misp-galaxy:malpedia="IcedID",tlp:white] Hostname 192.3.76.227"; dns.query; content:"192.3.76.227"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])192\.3\.76\.227$/i"; classtype:trojan-activity; sid:4172731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/326;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e326 [misp-galaxy:banker="IcedID",misp-galaxy:malpedia="IcedID",tlp:white] Outgoing HTTP Hostname 192.3.76.227"; flow:to_server,established; http.header; content: "Host|3a| 192.3.76.227"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])192\.3\.76\.227[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4172732; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/326;) alert ip $HOME_NET any -> 104.225.129.86 any (msg: "MISP e327 [misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",tlp:white] Outgoing To IP: 104.225.129.86"; classtype:trojan-activity; sid:4173181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/327;) alert ip $HOME_NET any -> 104.225.129.103 any (msg: "MISP e327 [misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",tlp:white] Outgoing To IP: 104.225.129.103"; classtype:trojan-activity; sid:4173191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/327;) alert ip $HOME_NET any -> 15.207.207.64 any (msg: "MISP e327 [misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",tlp:white] Outgoing To IP: 15.207.207.64"; classtype:trojan-activity; sid:4173201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/327;) alert ip $HOME_NET any -> 209.95.60.92 any (msg: "MISP e327 [misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",tlp:white] Outgoing To IP: 209.95.60.92"; classtype:trojan-activity; sid:4173211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/327;) alert ip $HOME_NET any -> 175.45.176.27 any (msg: "MISP e327 [misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",tlp:white] Outgoing To IP: 175.45.176.27"; classtype:trojan-activity; sid:4173221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/327;) alert ip $HOME_NET any -> 23.237.32.34 any (msg: "MISP e327 [misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",tlp:white] Outgoing To IP: 23.237.32.34"; classtype:trojan-activity; sid:4173231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/327;) alert ip $HOME_NET any -> 193.176.211.0/24 any (msg: "MISP e327 [misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",tlp:white] Outgoing To IP: 193.176.211.0/24"; classtype:trojan-activity; sid:4173241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/327;) alert ip $HOME_NET any -> 146.185.26.150 any (msg: "MISP e327 [misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",tlp:white] Outgoing To IP: 146.185.26.150"; classtype:trojan-activity; sid:4173251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/327;) alert ip $HOME_NET any -> 154.6.26.2 any (msg: "MISP e327 [misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",tlp:white] Outgoing To IP: 154.6.26.2"; classtype:trojan-activity; sid:4173261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/327;) alert dns any any -> any any (msg: "MISP e328 [misp-galaxy:country="austria",misp-galaxy:country="panama",misp-galaxy:country="united kingdom",tlp:white] Domain acrobatrelay.com"; dns.query; content:"acrobatrelay.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])acrobatrelay\.com$/i"; classtype:trojan-activity; sid:4173411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/328;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e328 [misp-galaxy:country="austria",misp-galaxy:country="panama",misp-galaxy:country="united kingdom",tlp:white] Outgoing HTTP Domain acrobatrelay.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"acrobatrelay.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])acrobatrelay\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173412; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/328;) alert dns any any -> any any (msg: "MISP e328 [misp-galaxy:country="austria",misp-galaxy:country="panama",misp-galaxy:country="united kingdom",tlp:white] Hostname demo3.dsirf.eu"; dns.query; content:"demo3.dsirf.eu"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])demo3\.dsirf\.eu$/i"; classtype:trojan-activity; sid:4173421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/328;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e328 [misp-galaxy:country="austria",misp-galaxy:country="panama",misp-galaxy:country="united kingdom",tlp:white] Outgoing HTTP Hostname demo3.dsirf.eu"; flow:to_server,established; http.header; content: "Host|3a| demo3.dsirf.eu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])demo3\.dsirf\.eu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173422; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/328;) alert dns any any -> any any (msg: "MISP e328 [misp-galaxy:country="austria",misp-galaxy:country="panama",misp-galaxy:country="united kingdom",tlp:white] Hostname debugmex.dsirflabs.eu"; dns.query; content:"debugmex.dsirflabs.eu"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])debugmex\.dsirflabs\.eu$/i"; classtype:trojan-activity; sid:4173431; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/328;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e328 [misp-galaxy:country="austria",misp-galaxy:country="panama",misp-galaxy:country="united kingdom",tlp:white] Outgoing HTTP Hostname debugmex.dsirflabs.eu"; flow:to_server,established; http.header; content: "Host|3a| debugmex.dsirflabs.eu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])debugmex\.dsirflabs\.eu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173432; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/328;) alert dns any any -> any any (msg: "MISP e328 [misp-galaxy:country="austria",misp-galaxy:country="panama",misp-galaxy:country="united kingdom",tlp:white] Hostname szstaging.dsirflabs.eu"; dns.query; content:"szstaging.dsirflabs.eu"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])szstaging\.dsirflabs\.eu$/i"; classtype:trojan-activity; sid:4173441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/328;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e328 [misp-galaxy:country="austria",misp-galaxy:country="panama",misp-galaxy:country="united kingdom",tlp:white] Outgoing HTTP Hostname szstaging.dsirflabs.eu"; flow:to_server,established; http.header; content: "Host|3a| szstaging.dsirflabs.eu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])szstaging\.dsirflabs\.eu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173442; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/328;) alert dns any any -> any any (msg: "MISP e328 [misp-galaxy:country="austria",misp-galaxy:country="panama",misp-galaxy:country="united kingdom",tlp:white] Domain finconsult.cc"; dns.query; content:"finconsult.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-])finconsult\.cc$/i"; classtype:trojan-activity; sid:4173451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/328;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e328 [misp-galaxy:country="austria",misp-galaxy:country="panama",misp-galaxy:country="united kingdom",tlp:white] Outgoing HTTP Domain finconsult.cc"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"finconsult.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])finconsult\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173452; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/328;) alert dns any any -> any any (msg: "MISP e328 [misp-galaxy:country="austria",misp-galaxy:country="panama",misp-galaxy:country="united kingdom",tlp:white] Domain realmetaldns.com"; dns.query; content:"realmetaldns.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])realmetaldns\.com$/i"; classtype:trojan-activity; sid:4173461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/328;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e328 [misp-galaxy:country="austria",misp-galaxy:country="panama",misp-galaxy:country="united kingdom",tlp:white] Outgoing HTTP Domain realmetaldns.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"realmetaldns.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])realmetaldns\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173462; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/328;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain cache-dns.com"; dns.query; content:"cache-dns.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])cache\-dns\.com$/i"; classtype:trojan-activity; sid:4173631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain cache-dns.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cache-dns.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cache\-dns\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173632; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain cache-dns-forwarding.com"; dns.query; content:"cache-dns-forwarding.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])cache\-dns\-forwarding\.com$/i"; classtype:trojan-activity; sid:4173641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain cache-dns-forwarding.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cache-dns-forwarding.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cache\-dns\-forwarding\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173642; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain cache-dns-preview.com"; dns.query; content:"cache-dns-preview.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])cache\-dns\-preview\.com$/i"; classtype:trojan-activity; sid:4173651; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain cache-dns-preview.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cache-dns-preview.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cache\-dns\-preview\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173652; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain cache-docs.com"; dns.query; content:"cache-docs.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])cache\-docs\.com$/i"; classtype:trojan-activity; sid:4173661; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain cache-docs.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cache-docs.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cache\-docs\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173662; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain cache-pdf.com"; dns.query; content:"cache-pdf.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])cache\-pdf\.com$/i"; classtype:trojan-activity; sid:4173671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain cache-pdf.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cache-pdf.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cache\-pdf\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173672; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain cache-pdf.online"; dns.query; content:"cache-pdf.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])cache\-pdf\.online$/i"; classtype:trojan-activity; sid:4173681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain cache-pdf.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cache-pdf.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cache\-pdf\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173682; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain cache-services.live"; dns.query; content:"cache-services.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])cache\-services\.live$/i"; classtype:trojan-activity; sid:4173691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain cache-services.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cache-services.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cache\-services\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173692; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain cloud-docs.com"; dns.query; content:"cloud-docs.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])cloud\-docs\.com$/i"; classtype:trojan-activity; sid:4173701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain cloud-docs.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cloud-docs.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cloud\-docs\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173702; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain cloud-drive.live"; dns.query; content:"cloud-drive.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])cloud\-drive\.live$/i"; classtype:trojan-activity; sid:4173711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain cloud-drive.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cloud-drive.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cloud\-drive\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173712; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain cloud-storage.live"; dns.query; content:"cloud-storage.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])cloud\-storage\.live$/i"; classtype:trojan-activity; sid:4173721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain cloud-storage.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cloud-storage.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cloud\-storage\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173722; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain docs-cache.com"; dns.query; content:"docs-cache.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])docs\-cache\.com$/i"; classtype:trojan-activity; sid:4173731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain docs-cache.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"docs-cache.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])docs\-cache\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173732; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain docs-forwarding.online"; dns.query; content:"docs-forwarding.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])docs\-forwarding\.online$/i"; classtype:trojan-activity; sid:4173741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain docs-forwarding.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"docs-forwarding.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])docs\-forwarding\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173742; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain docs-info.com"; dns.query; content:"docs-info.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])docs\-info\.com$/i"; classtype:trojan-activity; sid:4173751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain docs-info.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"docs-info.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])docs\-info\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173752; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain docs-shared.com"; dns.query; content:"docs-shared.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])docs\-shared\.com$/i"; classtype:trojan-activity; sid:4173761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain docs-shared.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"docs-shared.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])docs\-shared\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173762; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain docs-shared.online"; dns.query; content:"docs-shared.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])docs\-shared\.online$/i"; classtype:trojan-activity; sid:4173771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain docs-shared.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"docs-shared.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])docs\-shared\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173772; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain docs-view.online"; dns.query; content:"docs-view.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])docs\-view\.online$/i"; classtype:trojan-activity; sid:4173781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain docs-view.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"docs-view.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])docs\-view\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173782; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain document-forwarding.com"; dns.query; content:"document-forwarding.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])document\-forwarding\.com$/i"; classtype:trojan-activity; sid:4173791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain document-forwarding.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"document-forwarding.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])document\-forwarding\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173792; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain document-online.live"; dns.query; content:"document-online.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])document\-online\.live$/i"; classtype:trojan-activity; sid:4173801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain document-online.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"document-online.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])document\-online\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173802; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain document-preview.com"; dns.query; content:"document-preview.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])document\-preview\.com$/i"; classtype:trojan-activity; sid:4173811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain document-preview.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"document-preview.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])document\-preview\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173812; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain documents-cloud.com"; dns.query; content:"documents-cloud.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])documents\-cloud\.com$/i"; classtype:trojan-activity; sid:4173821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain documents-cloud.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"documents-cloud.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])documents\-cloud\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173822; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain documents-cloud.online"; dns.query; content:"documents-cloud.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])documents\-cloud\.online$/i"; classtype:trojan-activity; sid:4173831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain documents-cloud.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"documents-cloud.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])documents\-cloud\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173832; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain documents-forwarding.com"; dns.query; content:"documents-forwarding.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])documents\-forwarding\.com$/i"; classtype:trojan-activity; sid:4173841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain documents-forwarding.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"documents-forwarding.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])documents\-forwarding\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173842; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain document-share.live"; dns.query; content:"document-share.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])document\-share\.live$/i"; classtype:trojan-activity; sid:4173851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain document-share.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"document-share.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])document\-share\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173852; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain documents-online.live"; dns.query; content:"documents-online.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])documents\-online\.live$/i"; classtype:trojan-activity; sid:4173861; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain documents-online.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"documents-online.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])documents\-online\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173862; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain documents-pdf.online"; dns.query; content:"documents-pdf.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])documents\-pdf\.online$/i"; classtype:trojan-activity; sid:4173871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain documents-pdf.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"documents-pdf.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])documents\-pdf\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173872; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain documents-preview.com"; dns.query; content:"documents-preview.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])documents\-preview\.com$/i"; classtype:trojan-activity; sid:4173881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain documents-preview.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"documents-preview.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])documents\-preview\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173882; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain documents-view.live"; dns.query; content:"documents-view.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])documents\-view\.live$/i"; classtype:trojan-activity; sid:4173891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain documents-view.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"documents-view.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])documents\-view\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173892; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain document-view.live"; dns.query; content:"document-view.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])document\-view\.live$/i"; classtype:trojan-activity; sid:4173901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain document-view.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"document-view.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])document\-view\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173902; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain drive-docs.com"; dns.query; content:"drive-docs.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])drive\-docs\.com$/i"; classtype:trojan-activity; sid:4173911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain drive-docs.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"drive-docs.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])drive\-docs\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173912; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain drive-share.live"; dns.query; content:"drive-share.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])drive\-share\.live$/i"; classtype:trojan-activity; sid:4173921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain drive-share.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"drive-share.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])drive\-share\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173922; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain goo-link.online"; dns.query; content:"goo-link.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])goo\-link\.online$/i"; classtype:trojan-activity; sid:4173931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain goo-link.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"goo-link.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])goo\-link\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173932; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain hypertextteches.com"; dns.query; content:"hypertextteches.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])hypertextteches\.com$/i"; classtype:trojan-activity; sid:4173941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain hypertextteches.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hypertextteches.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hypertextteches\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173942; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain mail-docs.online"; dns.query; content:"mail-docs.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])mail\-docs\.online$/i"; classtype:trojan-activity; sid:4173951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain mail-docs.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mail-docs.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mail\-docs\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173952; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain officeonline365.live"; dns.query; content:"officeonline365.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])officeonline365\.live$/i"; classtype:trojan-activity; sid:4173961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain officeonline365.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"officeonline365.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])officeonline365\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173962; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain online365-office.com"; dns.query; content:"online365-office.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])online365\-office\.com$/i"; classtype:trojan-activity; sid:4173971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain online365-office.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"online365-office.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])online365\-office\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173972; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain online-document.live"; dns.query; content:"online-document.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])online\-document\.live$/i"; classtype:trojan-activity; sid:4173981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain online-document.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"online-document.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])online\-document\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173982; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain online-storage.live"; dns.query; content:"online-storage.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])online\-storage\.live$/i"; classtype:trojan-activity; sid:4173991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain online-storage.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"online-storage.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])online\-storage\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4173992; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain pdf-cache.com"; dns.query; content:"pdf-cache.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pdf\-cache\.com$/i"; classtype:trojan-activity; sid:4174001; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain pdf-cache.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pdf-cache.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pdf\-cache\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4174002; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain pdf-cache.online"; dns.query; content:"pdf-cache.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])pdf\-cache\.online$/i"; classtype:trojan-activity; sid:4174011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain pdf-cache.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pdf-cache.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pdf\-cache\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4174012; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain pdf-docs.online"; dns.query; content:"pdf-docs.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])pdf\-docs\.online$/i"; classtype:trojan-activity; sid:4174021; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain pdf-docs.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pdf-docs.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pdf\-docs\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4174022; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain pdf-forwarding.online"; dns.query; content:"pdf-forwarding.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])pdf\-forwarding\.online$/i"; classtype:trojan-activity; sid:4174031; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain pdf-forwarding.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pdf-forwarding.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pdf\-forwarding\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4174032; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain protection-checklinks.xyz"; dns.query; content:"protection-checklinks.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])protection\-checklinks\.xyz$/i"; classtype:trojan-activity; sid:4174041; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain protection-checklinks.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"protection-checklinks.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])protection\-checklinks\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4174042; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain protection-link.online"; dns.query; content:"protection-link.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])protection\-link\.online$/i"; classtype:trojan-activity; sid:4174051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain protection-link.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"protection-link.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])protection\-link\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4174052; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain protectionmail.online"; dns.query; content:"protectionmail.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])protectionmail\.online$/i"; classtype:trojan-activity; sid:4174061; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain protectionmail.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"protectionmail.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])protectionmail\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4174062; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain protection-office.live"; dns.query; content:"protection-office.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])protection\-office\.live$/i"; classtype:trojan-activity; sid:4174071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain protection-office.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"protection-office.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])protection\-office\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4174072; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain protect-link.online"; dns.query; content:"protect-link.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])protect\-link\.online$/i"; classtype:trojan-activity; sid:4174081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain protect-link.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"protect-link.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])protect\-link\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4174082; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain proton-docs.com"; dns.query; content:"proton-docs.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])proton\-docs\.com$/i"; classtype:trojan-activity; sid:4174091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain proton-docs.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"proton-docs.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])proton\-docs\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4174092; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain proton-reader.com"; dns.query; content:"proton-reader.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])proton\-reader\.com$/i"; classtype:trojan-activity; sid:4174101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain proton-reader.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"proton-reader.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])proton\-reader\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4174102; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain proton-viewer.com"; dns.query; content:"proton-viewer.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])proton\-viewer\.com$/i"; classtype:trojan-activity; sid:4174111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain proton-viewer.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"proton-viewer.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])proton\-viewer\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4174112; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain relogin-dashboard.online"; dns.query; content:"relogin-dashboard.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])relogin\-dashboard\.online$/i"; classtype:trojan-activity; sid:4174121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain relogin-dashboard.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"relogin-dashboard.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])relogin\-dashboard\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4174122; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain safe-connection.online"; dns.query; content:"safe-connection.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])safe\-connection\.online$/i"; classtype:trojan-activity; sid:4174131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain safe-connection.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"safe-connection.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])safe\-connection\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4174132; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain safelinks-protect.live"; dns.query; content:"safelinks-protect.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])safelinks\-protect\.live$/i"; classtype:trojan-activity; sid:4174141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain safelinks-protect.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"safelinks-protect.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])safelinks\-protect\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4174142; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain secureoffice.live"; dns.query; content:"secureoffice.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])secureoffice\.live$/i"; classtype:trojan-activity; sid:4174151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain secureoffice.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"secureoffice.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])secureoffice\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4174152; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain webresources.live"; dns.query; content:"webresources.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])webresources\.live$/i"; classtype:trojan-activity; sid:4174161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain webresources.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"webresources.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])webresources\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4174162; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain word-yand.live"; dns.query; content:"word-yand.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])word\-yand\.live$/i"; classtype:trojan-activity; sid:4174171; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain word-yand.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"word-yand.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])word\-yand\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4174172; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain yandx-online.cloud"; dns.query; content:"yandx-online.cloud"; nocase; pcre: "/(^|[^A-Za-z0-9-])yandx\-online\.cloud$/i"; classtype:trojan-activity; sid:4174181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain yandx-online.cloud"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"yandx-online.cloud"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])yandx\-online\.cloud[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4174182; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert dns any any -> any any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Domain y-ml.co"; dns.query; content:"y-ml.co"; nocase; pcre: "/(^|[^A-Za-z0-9-])y\-ml\.co$/i"; classtype:trojan-activity; sid:4174191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e329 [misp-galaxy:threat-actor="Callisto",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Domain y-ml.co"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"y-ml.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])y\-ml\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4174192; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/329;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e330 [tlp:white,misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"] Outgoing URL http|3a|//a0698649.xsph.ru/barley/barley.xml"; flow:to_server,established; http.header; content:"a0698649.xsph.ru"; fast_pattern; nocase; http.uri; content:"/barley/barley.xml"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4174471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/330;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e330 [tlp:white,misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"] Outgoing URL http|3a|//a0700343.xsph.ru/new/preach.xml"; flow:to_server,established; http.header; content:"a0700343.xsph.ru"; fast_pattern; nocase; http.uri; content:"/new/preach.xml"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4174481; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/330;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e330 [tlp:white,misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"] Outgoing URL http|3a|//a0700462.xsph.ru/grow/guests.xml"; flow:to_server,established; http.header; content:"a0700462.xsph.ru"; fast_pattern; nocase; http.uri; content:"/grow/guests.xml"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4174491; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/330;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e330 [tlp:white,misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"] Outgoing URL http|3a|//a0700462.xsph.ru/seek/lost.xml"; flow:to_server,established; http.header; content:"a0700462.xsph.ru"; fast_pattern; nocase; http.uri; content:"/seek/lost.xml"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4174501; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/330;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e330 [tlp:white,misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"] Outgoing URL http|3a|//a0701919.xsph.ru/head/selling.xml"; flow:to_server,established; http.header; content:"a0701919.xsph.ru"; fast_pattern; nocase; http.uri; content:"/head/selling.xml"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4174511; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/330;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e330 [tlp:white,misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"] Outgoing URL http|3a|//a0701919.xsph.ru/predator/decimal.xml"; flow:to_server,established; http.header; content:"a0701919.xsph.ru"; fast_pattern; nocase; http.uri; content:"/predator/decimal.xml"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4174521; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/330;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e330 [tlp:white,misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"] Outgoing URL http|3a|//a0701919.xsph.ru/registry/prediction.xml"; flow:to_server,established; http.header; content:"a0701919.xsph.ru"; fast_pattern; nocase; http.uri; content:"/registry/prediction.xml"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4174531; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/330;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e330 [tlp:white,misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"] Outgoing URL http|3a|//a0704093.xsph.ru/basement/insufficient.xml"; flow:to_server,established; http.header; content:"a0704093.xsph.ru"; fast_pattern; nocase; http.uri; content:"/basement/insufficient.xml"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4174541; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/330;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e330 [tlp:white,misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"] Outgoing URL http|3a|//a0704093.xsph.ru/bass/grudge.xml"; flow:to_server,established; http.header; content:"a0704093.xsph.ru"; fast_pattern; nocase; http.uri; content:"/bass/grudge.xml"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4174551; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/330;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e330 [tlp:white,misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"] Outgoing URL http|3a|//a0705076.xsph.ru/ramzeses1.html"; flow:to_server,established; http.header; content:"a0705076.xsph.ru"; fast_pattern; nocase; http.uri; content:"/ramzeses1.html"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4174561; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/330;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e330 [tlp:white,misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"] Outgoing URL http|3a|//a0705076.xsph.ru/regiment.txt"; flow:to_server,established; http.header; content:"a0705076.xsph.ru"; fast_pattern; nocase; http.uri; content:"/regiment.txt"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4174571; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/330;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e330 [tlp:white,misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"] Outgoing URL http|3a|//a0705269.xsph.ru/bars/dearest.txt"; flow:to_server,established; http.header; content:"a0705269.xsph.ru"; fast_pattern; nocase; http.uri; content:"/bars/dearest.txt"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4174581; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/330;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e330 [tlp:white,misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"] Outgoing URL http|3a|//a0705269.xsph.ru/instruct/deaf.txt"; flow:to_server,established; http.header; content:"a0705269.xsph.ru"; fast_pattern; nocase; http.uri; content:"/instruct/deaf.txt"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4174591; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/330;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e330 [tlp:white,misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"] Outgoing URL http|3a|//a0705269.xsph.ru/prok/gur.html"; flow:to_server,established; http.header; content:"a0705269.xsph.ru"; fast_pattern; nocase; http.uri; content:"/prok/gur.html"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4174601; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/330;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e330 [tlp:white,misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"] Outgoing URL http|3a|//a0705581.xsph.ru/guinea/preservation.txt"; flow:to_server,established; http.header; content:"a0705581.xsph.ru"; fast_pattern; nocase; http.uri; content:"/guinea/preservation.txt"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4174611; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/330;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e330 [tlp:white,misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"] Outgoing URL http|3a|//a0705880.xsph.ru/band/sentiment.txt"; flow:to_server,established; http.header; content:"a0705880.xsph.ru"; fast_pattern; nocase; http.uri; content:"/band/sentiment.txt"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4174621; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/330;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e330 [tlp:white,misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"] Outgoing URL http|3a|//a0705880.xsph.ru/based/pre.txt"; flow:to_server,established; http.header; content:"a0705880.xsph.ru"; fast_pattern; nocase; http.uri; content:"/based/pre.txt"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4174631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/330;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e330 [tlp:white,misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"] Outgoing URL http|3a|//a0705880.xsph.ru/selection/seedling.txt"; flow:to_server,established; http.header; content:"a0705880.xsph.ru"; fast_pattern; nocase; http.uri; content:"/selection/seedling.txt"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4174641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/330;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e330 [tlp:white,misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"] Outgoing URL http|3a|//a0706248.xsph.ru/reject/headlong.txt"; flow:to_server,established; http.header; content:"a0706248.xsph.ru"; fast_pattern; nocase; http.uri; content:"/reject/headlong.txt"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4174651; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/330;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e330 [tlp:white,misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"] Outgoing URL http|3a|//a0707763.xsph.ru/decipher/prayer.txt"; flow:to_server,established; http.header; content:"a0707763.xsph.ru"; fast_pattern; nocase; http.uri; content:"/decipher/prayer.txt"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4174661; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/330;) alert http $HOME_NET any -> 155.138.252.221 $HTTP_PORTS (msg: "MISP e330 [tlp:white,misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"] Outgoing URL http|3a|//155.138.252.221/get.php"; flow:to_server,established; http.header; content:"155.138.252.221"; fast_pattern; nocase; http.uri; content:"/get.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4174671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/330;) alert http $HOME_NET any -> 45.77.237.252 $HTTP_PORTS (msg: "MISP e330 [tlp:white,misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"] Outgoing URL http|3a|//45.77.237.252/get.php"; flow:to_server,established; http.header; content:"45.77.237.252"; fast_pattern; nocase; http.uri; content:"/get.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4174681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/330;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e330 [tlp:white,misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"] Outgoing URL http|3a|//motoristo.ru/get.php"; flow:to_server,established; http.header; content:"motoristo.ru"; fast_pattern; nocase; http.uri; content:"/get.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4174691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/330;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e330 [tlp:white,misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"] Outgoing URL http|3a|//heato.ru/index.php"; flow:to_server,established; http.header; content:"heato.ru"; fast_pattern; nocase; http.uri; content:"/index.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4174701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/330;) alert dns any any -> any any (msg: "MISP e330 [tlp:white,misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"] Domain celticso.ru"; dns.query; content:"celticso.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])celticso\.ru$/i"; classtype:trojan-activity; sid:4174711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/330;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e330 [tlp:white,misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"] Outgoing HTTP Domain celticso.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"celticso.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])celticso\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4174712; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/330;) alert ip $HOME_NET any -> 162.33.178.129 any (msg: "MISP e330 [tlp:white,misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"] Outgoing To IP: 162.33.178.129"; classtype:trojan-activity; sid:4174721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/330;) alert dns any any -> any any (msg: "MISP e330 [tlp:white,misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"] Domain kuckuduk.ru"; dns.query; content:"kuckuduk.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])kuckuduk\.ru$/i"; classtype:trojan-activity; sid:4174731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/330;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e330 [tlp:white,misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"] Outgoing HTTP Domain kuckuduk.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kuckuduk.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kuckuduk\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4174732; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/330;) alert dns any any -> any any (msg: "MISP e330 [tlp:white,misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"] Domain pasamart.ru"; dns.query; content:"pasamart.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])pasamart\.ru$/i"; classtype:trojan-activity; sid:4174741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/330;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e330 [tlp:white,misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"] Outgoing HTTP Domain pasamart.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pasamart.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pasamart\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4174742; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/330;) alert dns any any -> any any (msg: "MISP e331 [tlp:white,misp-galaxy:mitre-intrusion-set="APT28 - G0007"] Hostname 9b5uja.am.files.1drv.com"; dns.query; content:"9b5uja.am.files.1drv.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])9b5uja\.am\.files\.1drv\.com$/i"; classtype:trojan-activity; sid:4174951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/331;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e331 [tlp:white,misp-galaxy:mitre-intrusion-set="APT28 - G0007"] Outgoing HTTP Hostname 9b5uja.am.files.1drv.com"; flow:to_server,established; http.header; content: "Host|3a| 9b5uja.am.files.1drv.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])9b5uja\.am\.files\.1drv\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4174952; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/331;) alert dns any any -> any any (msg: "MISP e331 [tlp:white,misp-galaxy:mitre-intrusion-set="APT28 - G0007"] Hostname kdmzlw.am.files.1drv.com"; dns.query; content:"kdmzlw.am.files.1drv.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])kdmzlw\.am\.files\.1drv\.com$/i"; classtype:trojan-activity; sid:4174961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/331;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e331 [tlp:white,misp-galaxy:mitre-intrusion-set="APT28 - G0007"] Outgoing HTTP Hostname kdmzlw.am.files.1drv.com"; flow:to_server,established; http.header; content: "Host|3a| kdmzlw.am.files.1drv.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])kdmzlw\.am\.files\.1drv\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4174962; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/331;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e331 [tlp:white,misp-galaxy:mitre-intrusion-set="APT28 - G0007"] Outgoing URL https|3a|//kdmzlw.am.files.1drv.com/y4mv4glUgvW9nl8z8GU71PhPw0oRtve9QpZ0pEgwJN1q_TlGY5yl5Mvkrc5rUh0Uxxknlr1qymWyCbPrkKOFgL4CARScSn9UMhq3c5hSNOQsDOamYLmOfN61lUtQO10vxtn0I7QROJdOtQ42wDsaiACGR5ZrmYwt0SmZkphGWQpT2gOFrsUxjg8_7QT01VTABiGr3T6xpWrTmFT5yu4toQ/DSC0001.jpeg?download"; tls.sni; content:"kdmzlw.am.files.1drv.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4174971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/331;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e331 [tlp:white,misp-galaxy:mitre-intrusion-set="APT28 - G0007"] Outgoing URL https|3a||5c||5c|9b5uja.am.files.1drv.com/y4mpYJ245I931DUGr7BV-dwLD7SReTqFr1N7eQOKSH_ug2G18Jd6i3SRqYqgugj3FA2JQQ7JqclvWH13Br3B5Ux-F6QcqADr-FowC_9PZi1Aj7uckcK8Uix_7ja1tF6C_8-5xYgm6zwjbXsrlEcTEenAyA8BzEaGPudutl1wMDkzVr6Wmn8_qRmYejLgbNoQmPTUe3P5NKFFLRjeeU_JhvA/DSC0002.jpeg?download"; tls.sni; content:""; tag:session,600,seconds; classtype:trojan-activity; sid:4174981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/331;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain bild.asia"; dns.query; content:"bild.asia"; nocase; pcre: "/(^|[^A-Za-z0-9-])bild\.asia$/i"; classtype:trojan-activity; sid:4175051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain bild.asia"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bild.asia"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bild\.asia[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175052; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Hostname bild.eu.com"; dns.query; content:"bild.eu.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bild\.eu\.com$/i"; classtype:trojan-activity; sid:4175061; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Hostname bild.eu.com"; flow:to_server,established; http.header; content: "Host|3a| bild.eu.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bild\.eu\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175062; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain bild.llc"; dns.query; content:"bild.llc"; nocase; pcre: "/(^|[^A-Za-z0-9-])bild\.llc$/i"; classtype:trojan-activity; sid:4175071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain bild.llc"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bild.llc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bild\.llc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175072; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain bild.pics"; dns.query; content:"bild.pics"; nocase; pcre: "/(^|[^A-Za-z0-9-])bild\.pics$/i"; classtype:trojan-activity; sid:4175081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain bild.pics"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bild.pics"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bild\.pics[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175082; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain bild.vip"; dns.query; content:"bild.vip"; nocase; pcre: "/(^|[^A-Za-z0-9-])bild\.vip$/i"; classtype:trojan-activity; sid:4175091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain bild.vip"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bild.vip"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bild\.vip[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175092; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain blld.live"; dns.query; content:"blld.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])blld\.live$/i"; classtype:trojan-activity; sid:4175101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain blld.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"blld.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])blld\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175102; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain bild.work"; dns.query; content:"bild.work"; nocase; pcre: "/(^|[^A-Za-z0-9-])bild\.work$/i"; classtype:trojan-activity; sid:4175111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain bild.work"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bild.work"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bild\.work[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175112; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain bild.ws"; dns.query; content:"bild.ws"; nocase; pcre: "/(^|[^A-Za-z0-9-])bild\.ws$/i"; classtype:trojan-activity; sid:4175121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain bild.ws"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bild.ws"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bild\.ws[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175122; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain spiegel.agency"; dns.query; content:"spiegel.agency"; nocase; pcre: "/(^|[^A-Za-z0-9-])spiegel\.agency$/i"; classtype:trojan-activity; sid:4175131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain spiegel.agency"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"spiegel.agency"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])spiegel\.agency[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175132; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Hostname spiegel.co.com"; dns.query; content:"spiegel.co.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])spiegel\.co\.com$/i"; classtype:trojan-activity; sid:4175141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Hostname spiegel.co.com"; flow:to_server,established; http.header; content: "Host|3a| spiegel.co.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])spiegel\.co\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175142; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain spiegel.fun"; dns.query; content:"spiegel.fun"; nocase; pcre: "/(^|[^A-Za-z0-9-])spiegel\.fun$/i"; classtype:trojan-activity; sid:4175151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain spiegel.fun"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"spiegel.fun"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])spiegel\.fun[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175152; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain spiegeli.life"; dns.query; content:"spiegeli.life"; nocase; pcre: "/(^|[^A-Za-z0-9-])spiegeli\.life$/i"; classtype:trojan-activity; sid:4175161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain spiegeli.life"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"spiegeli.life"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])spiegeli\.life[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175162; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain spiegel.ltd"; dns.query; content:"spiegel.ltd"; nocase; pcre: "/(^|[^A-Za-z0-9-])spiegel\.ltd$/i"; classtype:trojan-activity; sid:4175171; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain spiegel.ltd"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"spiegel.ltd"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])spiegel\.ltd[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175172; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain spiegel.pro"; dns.query; content:"spiegel.pro"; nocase; pcre: "/(^|[^A-Za-z0-9-])spiegel\.pro$/i"; classtype:trojan-activity; sid:4175181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain spiegel.pro"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"spiegel.pro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])spiegel\.pro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175182; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain spiegel.work"; dns.query; content:"spiegel.work"; nocase; pcre: "/(^|[^A-Za-z0-9-])spiegel\.work$/i"; classtype:trojan-activity; sid:4175191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain spiegel.work"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"spiegel.work"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])spiegel\.work[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175192; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain spiegel.cab"; dns.query; content:"spiegel.cab"; nocase; pcre: "/(^|[^A-Za-z0-9-])spiegel\.cab$/i"; classtype:trojan-activity; sid:4175201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain spiegel.cab"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"spiegel.cab"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])spiegel\.cab[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175202; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain spiegelr.today"; dns.query; content:"spiegelr.today"; nocase; pcre: "/(^|[^A-Za-z0-9-])spiegelr\.today$/i"; classtype:trojan-activity; sid:4175211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain spiegelr.today"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"spiegelr.today"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])spiegelr\.today[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175212; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain sueddeutsche.me"; dns.query; content:"sueddeutsche.me"; nocase; pcre: "/(^|[^A-Za-z0-9-])sueddeutsche\.me$/i"; classtype:trojan-activity; sid:4175221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain sueddeutsche.me"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sueddeutsche.me"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sueddeutsche\.me[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175222; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain sueddeutsche.cc"; dns.query; content:"sueddeutsche.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-])sueddeutsche\.cc$/i"; classtype:trojan-activity; sid:4175231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain sueddeutsche.cc"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sueddeutsche.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sueddeutsche\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175232; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain sueddeutsche.co"; dns.query; content:"sueddeutsche.co"; nocase; pcre: "/(^|[^A-Za-z0-9-])sueddeutsche\.co$/i"; classtype:trojan-activity; sid:4175241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain sueddeutsche.co"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sueddeutsche.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sueddeutsche\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175242; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain tagesspiegel.ltd"; dns.query; content:"tagesspiegel.ltd"; nocase; pcre: "/(^|[^A-Za-z0-9-])tagesspiegel\.ltd$/i"; classtype:trojan-activity; sid:4175261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain tagesspiegel.ltd"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tagesspiegel.ltd"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tagesspiegel\.ltd[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175262; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain tagesspiegel.co"; dns.query; content:"tagesspiegel.co"; nocase; pcre: "/(^|[^A-Za-z0-9-])tagesspiegel\.co$/i"; classtype:trojan-activity; sid:4175271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain tagesspiegel.co"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tagesspiegel.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tagesspiegel\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175272; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain fraiesvolk.com"; dns.query; content:"fraiesvolk.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])fraiesvolk\.com$/i"; classtype:trojan-activity; sid:4175281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain fraiesvolk.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fraiesvolk.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fraiesvolk\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175282; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain tonline.cfd"; dns.query; content:"tonline.cfd"; nocase; pcre: "/(^|[^A-Za-z0-9-])tonline\.cfd$/i"; classtype:trojan-activity; sid:4175291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain tonline.cfd"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tonline.cfd"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tonline\.cfd[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175292; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain tonline.life"; dns.query; content:"tonline.life"; nocase; pcre: "/(^|[^A-Za-z0-9-])tonline\.life$/i"; classtype:trojan-activity; sid:4175301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain tonline.life"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tonline.life"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tonline\.life[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175302; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain t-onlinl.life"; dns.query; content:"t-onlinl.life"; nocase; pcre: "/(^|[^A-Za-z0-9-])t\-onlinl\.life$/i"; classtype:trojan-activity; sid:4175311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain t-onlinl.life"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"t-onlinl.life"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])t\-onlinl\.life[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175312; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain t-onlinl.live"; dns.query; content:"t-onlinl.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])t\-onlinl\.live$/i"; classtype:trojan-activity; sid:4175321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain t-onlinl.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"t-onlinl.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])t\-onlinl\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175322; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain t-onlinl.today"; dns.query; content:"t-onlinl.today"; nocase; pcre: "/(^|[^A-Za-z0-9-])t\-onlinl\.today$/i"; classtype:trojan-activity; sid:4175331; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain t-onlinl.today"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"t-onlinl.today"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])t\-onlinl\.today[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175332; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain t-onlinr.life"; dns.query; content:"t-onlinr.life"; nocase; pcre: "/(^|[^A-Za-z0-9-])t\-onlinr\.life$/i"; classtype:trojan-activity; sid:4175341; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain t-onlinr.life"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"t-onlinr.life"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])t\-onlinr\.life[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175342; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain t-onlinr.live"; dns.query; content:"t-onlinr.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])t\-onlinr\.live$/i"; classtype:trojan-activity; sid:4175351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain t-onlinr.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"t-onlinr.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])t\-onlinr\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175352; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain t-onlinr.today"; dns.query; content:"t-onlinr.today"; nocase; pcre: "/(^|[^A-Za-z0-9-])t\-onlinr\.today$/i"; classtype:trojan-activity; sid:4175361; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain t-onlinr.today"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"t-onlinr.today"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])t\-onlinr\.today[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175362; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain welt.ltd"; dns.query; content:"welt.ltd"; nocase; pcre: "/(^|[^A-Za-z0-9-])welt\.ltd$/i"; classtype:trojan-activity; sid:4175371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain welt.ltd"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"welt.ltd"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])welt\.ltd[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175372; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain faz.ltd"; dns.query; content:"faz.ltd"; nocase; pcre: "/(^|[^A-Za-z0-9-])faz\.ltd$/i"; classtype:trojan-activity; sid:4175381; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain faz.ltd"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"faz.ltd"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])faz\.ltd[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175382; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain faz.agency"; dns.query; content:"faz.agency"; nocase; pcre: "/(^|[^A-Za-z0-9-])faz\.agency$/i"; classtype:trojan-activity; sid:4175391; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain faz.agency"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"faz.agency"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])faz\.agency[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175392; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain nd-aktuell.net"; dns.query; content:"nd-aktuell.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])nd\-aktuell\.net$/i"; classtype:trojan-activity; sid:4175401; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain nd-aktuell.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nd-aktuell.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nd\-aktuell\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175402; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain nd-aktuell.pro"; dns.query; content:"nd-aktuell.pro"; nocase; pcre: "/(^|[^A-Za-z0-9-])nd\-aktuell\.pro$/i"; classtype:trojan-activity; sid:4175411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain nd-aktuell.pro"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nd-aktuell.pro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nd\-aktuell\.pro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175412; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain nd-aktuell.co"; dns.query; content:"nd-aktuell.co"; nocase; pcre: "/(^|[^A-Za-z0-9-])nd\-aktuell\.co$/i"; classtype:trojan-activity; sid:4175421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain nd-aktuell.co"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nd-aktuell.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nd\-aktuell\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175422; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain dailymail.cfd"; dns.query; content:"dailymail.cfd"; nocase; pcre: "/(^|[^A-Za-z0-9-])dailymail\.cfd$/i"; classtype:trojan-activity; sid:4175431; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain dailymail.cfd"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dailymail.cfd"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dailymail\.cfd[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175432; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Hostname theguardian.co.com"; dns.query; content:"theguardian.co.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])theguardian\.co\.com$/i"; classtype:trojan-activity; sid:4175441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Hostname theguardian.co.com"; flow:to_server,established; http.header; content: "Host|3a| theguardian.co.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])theguardian\.co\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175442; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain 20minuts.com"; dns.query; content:"20minuts.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])20minuts\.com$/i"; classtype:trojan-activity; sid:4175451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain 20minuts.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"20minuts.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])20minuts\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175452; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Hostname rbk.kiev.ua"; dns.query; content:"rbk.kiev.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])rbk\.kiev\.ua$/i"; classtype:trojan-activity; sid:4175461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Hostname rbk.kiev.ua"; flow:to_server,established; http.header; content: "Host|3a| rbk.kiev.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])rbk\.kiev\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175462; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain rbk.today"; dns.query; content:"rbk.today"; nocase; pcre: "/(^|[^A-Za-z0-9-])rbk\.today$/i"; classtype:trojan-activity; sid:4175471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain rbk.today"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"rbk.today"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])rbk\.today[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175472; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain obozrevatels.com"; dns.query; content:"obozrevatels.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])obozrevatels\.com$/i"; classtype:trojan-activity; sid:4175481; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain obozrevatels.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"obozrevatels.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])obozrevatels\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175482; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain ansa.ltd"; dns.query; content:"ansa.ltd"; nocase; pcre: "/(^|[^A-Za-z0-9-])ansa\.ltd$/i"; classtype:trojan-activity; sid:4175491; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain ansa.ltd"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ansa.ltd"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ansa\.ltd[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175492; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain delfl.cc"; dns.query; content:"delfl.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-])delfl\.cc$/i"; classtype:trojan-activity; sid:4175501; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain delfl.cc"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"delfl.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])delfl\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175502; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain lsm.li"; dns.query; content:"lsm.li"; nocase; pcre: "/(^|[^A-Za-z0-9-])lsm\.li$/i"; classtype:trojan-activity; sid:4175511; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain lsm.li"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lsm.li"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lsm\.li[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175512; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert dns any any -> any any (msg: "MISP e332 [tlp:white] Domain reuters.cfd"; dns.query; content:"reuters.cfd"; nocase; pcre: "/(^|[^A-Za-z0-9-])reuters\.cfd$/i"; classtype:trojan-activity; sid:4175521; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e332 [tlp:white] Outgoing HTTP Domain reuters.cfd"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"reuters.cfd"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])reuters\.cfd[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4175522; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert ip $HOME_NET any -> 46.246.96.73 any (msg: "MISP e332 [tlp:white] Outgoing To IP: 46.246.96.73"; classtype:trojan-activity; sid:4175531; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert ip $HOME_NET any -> 89.223.120.166 any (msg: "MISP e332 [tlp:white] Outgoing To IP: 89.223.120.166"; classtype:trojan-activity; sid:4175541; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert ip $HOME_NET any -> 206.54.190.198 any (msg: "MISP e332 [tlp:white] Outgoing To IP: 206.54.190.198"; classtype:trojan-activity; sid:4175551; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/332;) alert ip $HOME_NET any -> 67.225.140.4 any (msg: "MISP e333 [tlp:white,misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Journalist",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing via Service - T1566.003",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001"] Outgoing To IP: 67.225.140.4"; classtype:trojan-activity; sid:4176081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/333;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e333 [tlp:white,misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Journalist",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing via Service - T1566.003",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001"] Outgoing URL https|3a|//turnscor.com/wp-includes/feedback.php"; tls.sni; content:"turnscor.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4176091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/333;) alert ip $HOME_NET any -> 50.192.28.29 any (msg: "MISP e333 [tlp:white,misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Journalist",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing via Service - T1566.003",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001"] Outgoing To IP: 50.192.28.29"; classtype:trojan-activity; sid:4176101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/333;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e333 [tlp:white,misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Journalist",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing via Service - T1566.003",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001"] Outgoing URL https|3a|//aquaprographix.com/patterns/Map/maps.php"; tls.sni; content:"aquaprographix.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4176111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/333;) alert ip $HOME_NET any -> 31.11.32.79 any (msg: "MISP e333 [tlp:white,misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Journalist",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing via Service - T1566.003",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001"] Outgoing To IP: 31.11.32.79"; classtype:trojan-activity; sid:4176131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/333;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e333 [tlp:white,misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Journalist",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing via Service - T1566.003",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001"] Outgoing URL http|3a|//www.stracarrara.org/images/img.asp"; flow:to_server,established; http.header; content:"www.stracarrara.org"; fast_pattern; nocase; http.uri; content:"/images/img.asp"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4176141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/333;) alert dns any any -> any any (msg: "MISP e334 [tlp:white,misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-malware="Dtrack - S0567",misp-galaxy:country="brazil",misp-galaxy:country="germany",misp-galaxy:country="india",misp-galaxy:country="italy",misp-galaxy:country="mexico",misp-galaxy:country="saudi arabia",misp-galaxy:country="switzerland",misp-galaxy:country="turkey",misp-galaxy:country="united states"] Domain pinkgoat.com"; dns.query; content:"pinkgoat.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pinkgoat\.com$/i"; classtype:trojan-activity; sid:4176251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/334;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e334 [tlp:white,misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-malware="Dtrack - S0567",misp-galaxy:country="brazil",misp-galaxy:country="germany",misp-galaxy:country="india",misp-galaxy:country="italy",misp-galaxy:country="mexico",misp-galaxy:country="saudi arabia",misp-galaxy:country="switzerland",misp-galaxy:country="turkey",misp-galaxy:country="united states"] Outgoing HTTP Domain pinkgoat.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pinkgoat.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pinkgoat\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4176252; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/334;) alert dns any any -> any any (msg: "MISP e334 [tlp:white,misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-malware="Dtrack - S0567",misp-galaxy:country="brazil",misp-galaxy:country="germany",misp-galaxy:country="india",misp-galaxy:country="italy",misp-galaxy:country="mexico",misp-galaxy:country="saudi arabia",misp-galaxy:country="switzerland",misp-galaxy:country="turkey",misp-galaxy:country="united states"] Domain purewatertokyo.com"; dns.query; content:"purewatertokyo.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])purewatertokyo\.com$/i"; classtype:trojan-activity; sid:4176261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/334;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e334 [tlp:white,misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-malware="Dtrack - S0567",misp-galaxy:country="brazil",misp-galaxy:country="germany",misp-galaxy:country="india",misp-galaxy:country="italy",misp-galaxy:country="mexico",misp-galaxy:country="saudi arabia",misp-galaxy:country="switzerland",misp-galaxy:country="turkey",misp-galaxy:country="united states"] Outgoing HTTP Domain purewatertokyo.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"purewatertokyo.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])purewatertokyo\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4176262; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/334;) alert dns any any -> any any (msg: "MISP e334 [tlp:white,misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-malware="Dtrack - S0567",misp-galaxy:country="brazil",misp-galaxy:country="germany",misp-galaxy:country="india",misp-galaxy:country="italy",misp-galaxy:country="mexico",misp-galaxy:country="saudi arabia",misp-galaxy:country="switzerland",misp-galaxy:country="turkey",misp-galaxy:country="united states"] Domain purplebear.com"; dns.query; content:"purplebear.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])purplebear\.com$/i"; classtype:trojan-activity; sid:4176271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/334;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e334 [tlp:white,misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-malware="Dtrack - S0567",misp-galaxy:country="brazil",misp-galaxy:country="germany",misp-galaxy:country="india",misp-galaxy:country="italy",misp-galaxy:country="mexico",misp-galaxy:country="saudi arabia",misp-galaxy:country="switzerland",misp-galaxy:country="turkey",misp-galaxy:country="united states"] Outgoing HTTP Domain purplebear.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"purplebear.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])purplebear\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4176272; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/334;) alert dns any any -> any any (msg: "MISP e334 [tlp:white,misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-malware="Dtrack - S0567",misp-galaxy:country="brazil",misp-galaxy:country="germany",misp-galaxy:country="india",misp-galaxy:country="italy",misp-galaxy:country="mexico",misp-galaxy:country="saudi arabia",misp-galaxy:country="switzerland",misp-galaxy:country="turkey",misp-galaxy:country="united states"] Domain salmonrabbit.com"; dns.query; content:"salmonrabbit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])salmonrabbit\.com$/i"; classtype:trojan-activity; sid:4176281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/334;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e334 [tlp:white,misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032",misp-galaxy:mitre-malware="Dtrack - S0567",misp-galaxy:country="brazil",misp-galaxy:country="germany",misp-galaxy:country="india",misp-galaxy:country="italy",misp-galaxy:country="mexico",misp-galaxy:country="saudi arabia",misp-galaxy:country="switzerland",misp-galaxy:country="turkey",misp-galaxy:country="united states"] Outgoing HTTP Domain salmonrabbit.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"salmonrabbit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])salmonrabbit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4176282; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/334;) alert dns any any -> any any (msg: "MISP e336 [tlp:white,misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Domain webservice-srv.online"; dns.query; content:"webservice-srv.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])webservice\-srv\.online$/i"; classtype:trojan-activity; sid:4180381; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/336;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e336 [tlp:white,misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Domain webservice-srv.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"webservice-srv.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])webservice\-srv\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4180382; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/336;) alert dns any any -> any any (msg: "MISP e336 [tlp:white,misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Domain webservice-srv1.online"; dns.query; content:"webservice-srv1.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])webservice\-srv1\.online$/i"; classtype:trojan-activity; sid:4180391; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/336;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e336 [tlp:white,misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing HTTP Domain webservice-srv1.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"webservice-srv1.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])webservice\-srv1\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4180392; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/336;) alert ip $HOME_NET any -> 185.166.217.184 any (msg: "MISP e336 [tlp:white,misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"] Outgoing To IP: 185.166.217.184"; classtype:trojan-activity; sid:4180401; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/336;) alert ip $HOME_NET any -> 146.70.88.123 any (msg: "MISP e337 [misp-galaxy:threat-actor="Cloud Atlas",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 146.70.88.123"; classtype:trojan-activity; sid:4180481; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/337;) alert ip $HOME_NET any -> 185.227.82.21 any (msg: "MISP e337 [misp-galaxy:threat-actor="Cloud Atlas",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 185.227.82.21"; classtype:trojan-activity; sid:4180491; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/337;) alert dns any any -> any any (msg: "MISP e337 [misp-galaxy:threat-actor="Cloud Atlas",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Domain desktoppreview.com"; dns.query; content:"desktoppreview.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])desktoppreview\.com$/i"; classtype:trojan-activity; sid:4180501; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/337;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e337 [misp-galaxy:threat-actor="Cloud Atlas",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing HTTP Domain desktoppreview.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"desktoppreview.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])desktoppreview\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4180502; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/337;) alert dns any any -> any any (msg: "MISP e337 [misp-galaxy:threat-actor="Cloud Atlas",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Domain gettemplate.org"; dns.query; content:"gettemplate.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])gettemplate\.org$/i"; classtype:trojan-activity; sid:4180511; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/337;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e337 [misp-galaxy:threat-actor="Cloud Atlas",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing HTTP Domain gettemplate.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gettemplate.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gettemplate\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4180512; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/337;) alert dns any any -> any any (msg: "MISP e337 [misp-galaxy:threat-actor="Cloud Atlas",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Domain driversolution.net"; dns.query; content:"driversolution.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])driversolution\.net$/i"; classtype:trojan-activity; sid:4180521; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/337;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e337 [misp-galaxy:threat-actor="Cloud Atlas",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing HTTP Domain driversolution.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"driversolution.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])driversolution\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4180522; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/337;) alert dns any any -> any any (msg: "MISP e337 [misp-galaxy:threat-actor="Cloud Atlas",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Domain translate-news.net"; dns.query; content:"translate-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])translate\-news\.net$/i"; classtype:trojan-activity; sid:4180531; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/337;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e337 [misp-galaxy:threat-actor="Cloud Atlas",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing HTTP Domain translate-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"translate-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])translate\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4180532; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/337;) alert dns any any -> any any (msg: "MISP e337 [misp-galaxy:threat-actor="Cloud Atlas",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Domain technology-requests.net"; dns.query; content:"technology-requests.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])technology\-requests\.net$/i"; classtype:trojan-activity; sid:4180541; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/337;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e337 [misp-galaxy:threat-actor="Cloud Atlas",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing HTTP Domain technology-requests.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"technology-requests.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])technology\-requests\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4180542; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/337;) alert dns any any -> any any (msg: "MISP e337 [misp-galaxy:threat-actor="Cloud Atlas",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Domain protocol-list.com"; dns.query; content:"protocol-list.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])protocol\-list\.com$/i"; classtype:trojan-activity; sid:4180551; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/337;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e337 [misp-galaxy:threat-actor="Cloud Atlas",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing HTTP Domain protocol-list.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"protocol-list.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])protocol\-list\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4180552; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/337;) alert dns any any -> any any (msg: "MISP e337 [misp-galaxy:threat-actor="Cloud Atlas",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Domain comparelicense.com"; dns.query; content:"comparelicense.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])comparelicense\.com$/i"; classtype:trojan-activity; sid:4180561; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/337;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e337 [misp-galaxy:threat-actor="Cloud Atlas",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing HTTP Domain comparelicense.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"comparelicense.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])comparelicense\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4180562; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/337;) alert dns any any -> any any (msg: "MISP e337 [misp-galaxy:threat-actor="Cloud Atlas",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Domain support-app.net"; dns.query; content:"support-app.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])support\-app\.net$/i"; classtype:trojan-activity; sid:4180571; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/337;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e337 [misp-galaxy:threat-actor="Cloud Atlas",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing HTTP Domain support-app.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"support-app.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])support\-app\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4180572; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/337;) alert dns any any -> any any (msg: "MISP e337 [misp-galaxy:threat-actor="Cloud Atlas",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Domain remote-convert.com"; dns.query; content:"remote-convert.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])remote\-convert\.com$/i"; classtype:trojan-activity; sid:4180581; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/337;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e337 [misp-galaxy:threat-actor="Cloud Atlas",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing HTTP Domain remote-convert.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"remote-convert.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])remote\-convert\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4180582; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/337;) alert dns any any -> any any (msg: "MISP e338 [misp-galaxy:mitre-intrusion-set="Charming Kitten - G0058",tlp:white] Domain cutly.biz"; dns.query; content:"cutly.biz"; nocase; pcre: "/(^|[^A-Za-z0-9-])cutly\.biz$/i"; classtype:trojan-activity; sid:4181121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/338;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e338 [misp-galaxy:mitre-intrusion-set="Charming Kitten - G0058",tlp:white] Outgoing HTTP Domain cutly.biz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cutly.biz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cutly\.biz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4181122; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/338;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e338 [misp-galaxy:mitre-intrusion-set="Charming Kitten - G0058",tlp:white] Outgoing URL https|3a|//sharefilesonline.live/xxxxxx/BI-File-2022.html"; tls.sni; content:"sharefilesonline.live"; tag:session,600,seconds; classtype:trojan-activity; sid:4181131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/338;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e338 [misp-galaxy:mitre-intrusion-set="Charming Kitten - G0058",tlp:white] Outgoing URL https|3a|//sharefilesonline.live/xxxxxx/G-check-first.html"; tls.sni; content:"sharefilesonline.live"; tag:session,600,seconds; classtype:trojan-activity; sid:4181141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/338;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e338 [misp-galaxy:mitre-intrusion-set="Charming Kitten - G0058",tlp:white] Outgoing URL https|3a|//sharefilesonline.live/xxxxxx/G-transfer.html"; tls.sni; content:"sharefilesonline.live"; tag:session,600,seconds; classtype:trojan-activity; sid:4181151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/338;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e338 [misp-galaxy:mitre-intrusion-set="Charming Kitten - G0058",tlp:white] Outgoing URL https|3a|//sharefilesonline.live/xxxxxx/continue.html"; tls.sni; content:"sharefilesonline.live"; tag:session,600,seconds; classtype:trojan-activity; sid:4181161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/338;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e338 [misp-galaxy:mitre-intrusion-set="Charming Kitten - G0058",tlp:white] Outgoing URL https|3a|//sharefilesonline.live/xxxxxx/index.php"; tls.sni; content:"sharefilesonline.live"; tag:session,600,seconds; classtype:trojan-activity; sid:4181171; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/338;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e338 [misp-galaxy:mitre-intrusion-set="Charming Kitten - G0058",tlp:white] Outgoing URL https|3a|//mailer-daemon.net/file=sharing=system/xxxxxx/first.check.html"; tls.sni; content:"mailer-daemon.net"; tag:session,600,seconds; classtype:trojan-activity; sid:4181181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/338;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e338 [misp-galaxy:mitre-intrusion-set="Charming Kitten - G0058",tlp:white] Outgoing URL http|3a|//mailer-daemon.org/xxxxxx/index.php"; flow:to_server,established; http.header; content:"mailer-daemon.org"; fast_pattern; nocase; http.uri; content:"/xxxxxx/index.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4181191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/338;) alert ip $HOME_NET any -> 217.12.206.116 any (msg: "MISP e339 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 217.12.206.116"; classtype:trojan-activity; sid:4181341; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/339;) alert ip $HOME_NET any -> 45.134.83.29 any (msg: "MISP e339 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 45.134.83.29"; classtype:trojan-activity; sid:4181351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/339;) alert ip $HOME_NET any -> 78.47.65.117 any (msg: "MISP e341 [tlp:white] Outgoing To IP: 78.47.65.117"; classtype:trojan-activity; sid:4181601; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/341;) alert ip $HOME_NET any -> 195.201.92.6 any (msg: "MISP e341 [tlp:white] Outgoing To IP: 195.201.92.6"; classtype:trojan-activity; sid:4181611; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/341;) alert ip $HOME_NET any -> 148.251.46.106 any (msg: "MISP e341 [tlp:white] Outgoing To IP: 148.251.46.106"; classtype:trojan-activity; sid:4181621; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/341;) alert ip $HOME_NET any -> 185.124.191.114 any (msg: "MISP e341 [tlp:white] Outgoing To IP: 185.124.191.114"; classtype:trojan-activity; sid:4181631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/341;) alert ip $HOME_NET any -> 185.124.191.123 any (msg: "MISP e341 [tlp:white] Outgoing To IP: 185.124.191.123"; classtype:trojan-activity; sid:4181641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/341;) alert ip $HOME_NET any -> 91.108.43.111 any (msg: "MISP e341 [tlp:white] Outgoing To IP: 91.108.43.111"; classtype:trojan-activity; sid:4181651; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/341;) alert ip $HOME_NET any -> 95.47.137.104 any (msg: "MISP e341 [tlp:white] Outgoing To IP: 95.47.137.104"; classtype:trojan-activity; sid:4181661; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/341;) alert ip $HOME_NET any -> 46.231.213.254 any (msg: "MISP e341 [tlp:white] Outgoing To IP: 46.231.213.254"; classtype:trojan-activity; sid:4181671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/341;) alert ip $HOME_NET any -> 178.16.146.186 any (msg: "MISP e341 [tlp:white] Outgoing To IP: 178.16.146.186"; classtype:trojan-activity; sid:4181681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/341;) alert ip $HOME_NET any -> 81.27.240.134 any (msg: "MISP e341 [tlp:white] Outgoing To IP: 81.27.240.134"; classtype:trojan-activity; sid:4181691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/341;) alert ip $HOME_NET any -> 84.52.111.135 any (msg: "MISP e341 [tlp:white] Outgoing To IP: 84.52.111.135"; classtype:trojan-activity; sid:4181701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/341;) alert ip $HOME_NET any -> 109.195.82.134 any (msg: "MISP e341 [tlp:white] Outgoing To IP: 109.195.82.134"; classtype:trojan-activity; sid:4181711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/341;) alert ip $HOME_NET any -> 109.195.82.138 any (msg: "MISP e341 [tlp:white] Outgoing To IP: 109.195.82.138"; classtype:trojan-activity; sid:4181721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/341;) alert ip $HOME_NET any -> 37.77.129.246 any (msg: "MISP e341 [tlp:white] Outgoing To IP: 37.77.129.246"; classtype:trojan-activity; sid:4181731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/341;) alert ip $HOME_NET any -> 37.77.135.5 any (msg: "MISP e341 [tlp:white] Outgoing To IP: 37.77.135.5"; classtype:trojan-activity; sid:4181741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/341;) alert ip $HOME_NET any -> 109.95.210.145 any (msg: "MISP e341 [tlp:white] Outgoing To IP: 109.95.210.145"; classtype:trojan-activity; sid:4181751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/341;) alert ip $HOME_NET any -> 149.126.17.198 any (msg: "MISP e341 [tlp:white] Outgoing To IP: 149.126.17.198"; classtype:trojan-activity; sid:4181761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/341;) alert ip $HOME_NET any -> 193.106.74.11 any (msg: "MISP e341 [tlp:white] Outgoing To IP: 193.106.74.11"; classtype:trojan-activity; sid:4181771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/341;) alert ip $HOME_NET any -> 162.33.177.195 any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing To IP: 162.33.177.195"; classtype:trojan-activity; sid:4182411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert ip $HOME_NET any -> 172.105.215.208 any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing To IP: 172.105.215.208"; classtype:trojan-activity; sid:4182421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert ip $HOME_NET any -> 172.86.75.220 any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing To IP: 172.86.75.220"; classtype:trojan-activity; sid:4182431; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert ip $HOME_NET any -> 192.153.57.67 any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing To IP: 192.153.57.67"; classtype:trojan-activity; sid:4182441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert ip $HOME_NET any -> 193.149.129.133 any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing To IP: 193.149.129.133"; classtype:trojan-activity; sid:4182451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert ip $HOME_NET any -> 193.149.176.254 any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing To IP: 193.149.176.254"; classtype:trojan-activity; sid:4182461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert ip $HOME_NET any -> 206.188.196.86 any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing To IP: 206.188.196.86"; classtype:trojan-activity; sid:4182471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert ip $HOME_NET any -> 45.227.252.247 any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing To IP: 45.227.252.247"; classtype:trojan-activity; sid:4182481; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert ip $HOME_NET any -> 45.61.136.175 any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing To IP: 45.61.136.175"; classtype:trojan-activity; sid:4182491; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert ip $HOME_NET any -> 45.61.136.64 any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing To IP: 45.61.136.64"; classtype:trojan-activity; sid:4182501; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert ip $HOME_NET any -> 45.61.138.243 any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing To IP: 45.61.138.243"; classtype:trojan-activity; sid:4182511; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert ip $HOME_NET any -> 46.161.40.164 any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing To IP: 46.161.40.164"; classtype:trojan-activity; sid:4182521; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert ip $HOME_NET any -> 46.175.148.147 any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing To IP: 46.175.148.147"; classtype:trojan-activity; sid:4182531; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert ip $HOME_NET any -> 64.190.113.57 any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing To IP: 64.190.113.57"; classtype:trojan-activity; sid:4182541; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert ip $HOME_NET any -> 64.227.24.240 any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing To IP: 64.227.24.240"; classtype:trojan-activity; sid:4182551; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert ip $HOME_NET any -> 89.22.232.145 any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing To IP: 89.22.232.145"; classtype:trojan-activity; sid:4182561; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert ip $HOME_NET any -> 89.22.233.149 any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing To IP: 89.22.233.149"; classtype:trojan-activity; sid:4182571; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert ip $HOME_NET any -> 94.103.86.38 any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing To IP: 94.103.86.38"; classtype:trojan-activity; sid:4182581; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert ip $HOME_NET any -> 94.20.72.7 any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing To IP: 94.20.72.7"; classtype:trojan-activity; sid:4182591; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Domain akipress.news"; dns.query; content:"akipress.news"; nocase; pcre: "/(^|[^A-Za-z0-9-])akipress\.news$/i"; classtype:trojan-activity; sid:4182601; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Domain akipress.news"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"akipress.news"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])akipress\.news[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182602; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Domain archive-downloader.com"; dns.query; content:"archive-downloader.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])archive\-downloader\.com$/i"; classtype:trojan-activity; sid:4182611; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Domain archive-downloader.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"archive-downloader.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])archive\-downloader\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182612; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Domain attachment-posts.cc"; dns.query; content:"attachment-posts.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-])attachment\-posts\.cc$/i"; classtype:trojan-activity; sid:4182621; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Domain attachment-posts.cc"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"attachment-posts.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])attachment\-posts\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182622; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Domain becloud.cc"; dns.query; content:"becloud.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-])becloud\.cc$/i"; classtype:trojan-activity; sid:4182631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Domain becloud.cc"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"becloud.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])becloud\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182632; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Domain becloud.website"; dns.query; content:"becloud.website"; nocase; pcre: "/(^|[^A-Za-z0-9-])becloud\.website$/i"; classtype:trojan-activity; sid:4182641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Domain becloud.website"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"becloud.website"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])becloud\.website[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182642; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname belaes.by.authentication.becloud.cc"; dns.query; content:"belaes.by.authentication.becloud.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])belaes\.by\.authentication\.becloud\.cc$/i"; classtype:trojan-activity; sid:4182651; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname belaes.by.authentication.becloud.cc"; flow:to_server,established; http.header; content: "Host|3a| belaes.by.authentication.becloud.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])belaes\.by\.authentication\.becloud\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182652; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname belstat.gov.by.attachment-posts.cc"; dns.query; content:"belstat.gov.by.attachment-posts.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])belstat\.gov\.by\.attachment\-posts\.cc$/i"; classtype:trojan-activity; sid:4182661; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname belstat.gov.by.attachment-posts.cc"; flow:to_server,established; http.header; content: "Host|3a| belstat.gov.by.attachment-posts.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])belstat\.gov\.by\.attachment\-posts\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182662; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Domain capitaltrust.uz"; dns.query; content:"capitaltrust.uz"; nocase; pcre: "/(^|[^A-Za-z0-9-])capitaltrust\.uz$/i"; classtype:trojan-activity; sid:4182671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Domain capitaltrust.uz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"capitaltrust.uz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])capitaltrust\.uz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182672; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname cloud.archive-downloader.com"; dns.query; content:"cloud.archive-downloader.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cloud\.archive\-downloader\.com$/i"; classtype:trojan-activity; sid:4182681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname cloud.archive-downloader.com"; flow:to_server,established; http.header; content: "Host|3a| cloud.archive-downloader.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cloud\.archive\-downloader\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182682; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname doc.az-link.email"; dns.query; content:"doc.az-link.email"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])doc\.az\-link\.email$/i"; classtype:trojan-activity; sid:4182691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname doc.az-link.email"; flow:to_server,established; http.header; content: "Host|3a| doc.az-link.email"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])doc\.az\-link\.email[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182692; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname docscpcpipe.inro.link"; dns.query; content:"docscpcpipe.inro.link"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])docscpcpipe\.inro\.link$/i"; classtype:trojan-activity; sid:4182701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname docscpcpipe.inro.link"; flow:to_server,established; http.header; content: "Host|3a| docscpcpipe.inro.link"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])docscpcpipe\.inro\.link[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182702; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname download.az-link.email"; dns.query; content:"download.az-link.email"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])download\.az\-link\.email$/i"; classtype:trojan-activity; sid:4182711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname download.az-link.email"; flow:to_server,established; http.header; content: "Host|3a| download.az-link.email"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])download\.az\-link\.email[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182712; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Domain e-aks.uz"; dns.query; content:"e-aks.uz"; nocase; pcre: "/(^|[^A-Za-z0-9-])e\-aks\.uz$/i"; classtype:trojan-activity; sid:4182721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Domain e-aks.uz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"e-aks.uz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])e\-aks\.uz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182722; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname e.login.mail-ru.link"; dns.query; content:"e.login.mail-ru.link"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])e\.login\.mail\-ru\.link$/i"; classtype:trojan-activity; sid:4182731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname e.login.mail-ru.link"; flow:to_server,established; http.header; content: "Host|3a| e.login.mail-ru.link"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])e\.login\.mail\-ru\.link[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182732; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname e.mail.ru.autn.tech"; dns.query; content:"e.mail.ru.autn.tech"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])e\.mail\.ru\.autn\.tech$/i"; classtype:trojan-activity; sid:4182741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname e.mail.ru.autn.tech"; flow:to_server,established; http.header; content: "Host|3a| e.mail.ru.autn.tech"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])e\.mail\.ru\.autn\.tech[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182742; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname e.mail.ru.mypolicy.top"; dns.query; content:"e.mail.ru.mypolicy.top"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])e\.mail\.ru\.mypolicy\.top$/i"; classtype:trojan-activity; sid:4182751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname e.mail.ru.mypolicy.top"; flow:to_server,established; http.header; content: "Host|3a| e.mail.ru.mypolicy.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])e\.mail\.ru\.mypolicy\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182752; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname e.mail.ru.portal-inbox.com"; dns.query; content:"e.mail.ru.portal-inbox.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])e\.mail\.ru\.portal\-inbox\.com$/i"; classtype:trojan-activity; sid:4182761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname e.mail.ru.portal-inbox.com"; flow:to_server,established; http.header; content: "Host|3a| e.mail.ru.portal-inbox.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])e\.mail\.ru\.portal\-inbox\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182762; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname e.nail.ru.imbox.link"; dns.query; content:"e.nail.ru.imbox.link"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])e\.nail\.ru\.imbox\.link$/i"; classtype:trojan-activity; sid:4182771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname e.nail.ru.imbox.link"; flow:to_server,established; http.header; content: "Host|3a| e.nail.ru.imbox.link"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])e\.nail\.ru\.imbox\.link[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182772; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname account.mail.ru.sigriup.site"; dns.query; content:"account.mail.ru.sigriup.site"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])account\.mail\.ru\.sigriup\.site$/i"; classtype:trojan-activity; sid:4182781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname account.mail.ru.sigriup.site"; flow:to_server,established; http.header; content: "Host|3a| account.mail.ru.sigriup.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])account\.mail\.ru\.sigriup\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182782; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname account.nail.ru.horme.info"; dns.query; content:"account.nail.ru.horme.info"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])account\.nail\.ru\.horme\.info$/i"; classtype:trojan-activity; sid:4182791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname account.nail.ru.horme.info"; flow:to_server,established; http.header; content: "Host|3a| account.nail.ru.horme.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])account\.nail\.ru\.horme\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182792; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname account.nail.ru.inro.link"; dns.query; content:"account.nail.ru.inro.link"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])account\.nail\.ru\.inro\.link$/i"; classtype:trojan-activity; sid:4182801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname account.nail.ru.inro.link"; flow:to_server,established; http.header; content: "Host|3a| account.nail.ru.inro.link"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])account\.nail\.ru\.inro\.link[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182802; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname accountyandex.inro.link"; dns.query; content:"accountyandex.inro.link"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])accountyandex\.inro\.link$/i"; classtype:trojan-activity; sid:4182811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname accountyandex.inro.link"; flow:to_server,established; http.header; content: "Host|3a| accountyandex.inro.link"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])accountyandex\.inro\.link[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182812; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Domain hbfyewtuvfbhsbdjhjwebfy.net"; dns.query; content:"hbfyewtuvfbhsbdjhjwebfy.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])hbfyewtuvfbhsbdjhjwebfy\.net$/i"; classtype:trojan-activity; sid:4182821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Domain hbfyewtuvfbhsbdjhjwebfy.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hbfyewtuvfbhsbdjhjwebfy.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hbfyewtuvfbhsbdjhjwebfy\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182822; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname hse.ru.attachment-posts.cc"; dns.query; content:"hse.ru.attachment-posts.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])hse\.ru\.attachment\-posts\.cc$/i"; classtype:trojan-activity; sid:4182831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname hse.ru.attachment-posts.cc"; flow:to_server,established; http.header; content: "Host|3a| hse.ru.attachment-posts.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])hse\.ru\.attachment\-posts\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182832; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Domain imbox.link"; dns.query; content:"imbox.link"; nocase; pcre: "/(^|[^A-Za-z0-9-])imbox\.link$/i"; classtype:trojan-activity; sid:4182841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Domain imbox.link"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"imbox.link"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])imbox\.link[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182842; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname industry.tj.mypolicy.top"; dns.query; content:"industry.tj.mypolicy.top"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])industry\.tj\.mypolicy\.top$/i"; classtype:trojan-activity; sid:4182851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname industry.tj.mypolicy.top"; flow:to_server,established; http.header; content: "Host|3a| industry.tj.mypolicy.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])industry\.tj\.mypolicy\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182852; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname mail.agro.gov.kg.openingfile.net"; dns.query; content:"mail.agro.gov.kg.openingfile.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.agro\.gov\.kg\.openingfile\.net$/i"; classtype:trojan-activity; sid:4182861; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname mail.agro.gov.kg.openingfile.net"; flow:to_server,established; http.header; content: "Host|3a| mail.agro.gov.kg.openingfile.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.agro\.gov\.kg\.openingfile\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182862; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname mail.belaes.by.authentication.becloud.cc"; dns.query; content:"mail.belaes.by.authentication.becloud.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.belaes\.by\.authentication\.becloud\.cc$/i"; classtype:trojan-activity; sid:4182871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname mail.belaes.by.authentication.becloud.cc"; flow:to_server,established; http.header; content: "Host|3a| mail.belaes.by.authentication.becloud.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.belaes\.by\.authentication\.becloud\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182872; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname mail.economy.qov.az-link.email"; dns.query; content:"mail.economy.qov.az-link.email"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.economy\.qov\.az\-link\.email$/i"; classtype:trojan-activity; sid:4182881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname mail.economy.qov.az-link.email"; flow:to_server,established; http.header; content: "Host|3a| mail.economy.qov.az-link.email"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.economy\.qov\.az\-link\.email[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182882; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname mail.g-cloud.by.authentication.becloud.cc"; dns.query; content:"mail.g-cloud.by.authentication.becloud.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.g\-cloud\.by\.authentication\.becloud\.cc$/i"; classtype:trojan-activity; sid:4182891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname mail.g-cloud.by.authentication.becloud.cc"; flow:to_server,established; http.header; content: "Host|3a| mail.g-cloud.by.authentication.becloud.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.g\-cloud\.by\.authentication\.becloud\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182892; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname mail.gov.az-link.email"; dns.query; content:"mail.gov.az-link.email"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.gov\.az\-link\.email$/i"; classtype:trojan-activity; sid:4182901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname mail.gov.az-link.email"; flow:to_server,established; http.header; content: "Host|3a| mail.gov.az-link.email"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.gov\.az\-link\.email[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182902; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname mail.hse.ru.attachment-posts.cc"; dns.query; content:"mail.hse.ru.attachment-posts.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.hse\.ru\.attachment\-posts\.cc$/i"; classtype:trojan-activity; sid:4182911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname mail.hse.ru.attachment-posts.cc"; flow:to_server,established; http.header; content: "Host|3a| mail.hse.ru.attachment-posts.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.hse\.ru\.attachment\-posts\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182912; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname mail.iacis.ru.autn.tech"; dns.query; content:"mail.iacis.ru.autn.tech"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.iacis\.ru\.autn\.tech$/i"; classtype:trojan-activity; sid:4182921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname mail.iacis.ru.autn.tech"; flow:to_server,established; http.header; content: "Host|3a| mail.iacis.ru.autn.tech"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.iacis\.ru\.autn\.tech[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182922; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname mail.mfa.az-link.email"; dns.query; content:"mail.mfa.az-link.email"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.mfa\.az\-link\.email$/i"; classtype:trojan-activity; sid:4182931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname mail.mfa.az-link.email"; flow:to_server,established; http.header; content: "Host|3a| mail.mfa.az-link.email"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.mfa\.az\-link\.email[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182932; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname mail.mfa.gov.kg.openingfile.net"; dns.query; content:"mail.mfa.gov.kg.openingfile.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.mfa\.gov\.kg\.openingfile\.net$/i"; classtype:trojan-activity; sid:4182941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname mail.mfa.gov.kg.openingfile.net"; flow:to_server,established; http.header; content: "Host|3a| mail.mfa.gov.kg.openingfile.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.mfa\.gov\.kg\.openingfile\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182942; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname mail.mgimo.ru.sigriup.site"; dns.query; content:"mail.mgimo.ru.sigriup.site"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.mgimo\.ru\.sigriup\.site$/i"; classtype:trojan-activity; sid:4182951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname mail.mgimo.ru.sigriup.site"; flow:to_server,established; http.header; content: "Host|3a| mail.mgimo.ru.sigriup.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.mgimo\.ru\.sigriup\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182952; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname mail.ru.authentification.becloud.cc"; dns.query; content:"mail.ru.authentification.becloud.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.ru\.authentification\.becloud\.cc$/i"; classtype:trojan-activity; sid:4182961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname mail.ru.authentification.becloud.cc"; flow:to_server,established; http.header; content: "Host|3a| mail.ru.authentification.becloud.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mail\.ru\.authentification\.becloud\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182962; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname mailacgov.inro.link"; dns.query; content:"mailacgov.inro.link"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mailacgov\.inro\.link$/i"; classtype:trojan-activity; sid:4182971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname mailacgov.inro.link"; flow:to_server,established; http.header; content: "Host|3a| mailacgov.inro.link"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mailacgov\.inro\.link[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182972; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname mailaviacomplect.inro.link"; dns.query; content:"mailaviacomplect.inro.link"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mailaviacomplect\.inro\.link$/i"; classtype:trojan-activity; sid:4182981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname mailaviacomplect.inro.link"; flow:to_server,established; http.header; content: "Host|3a| mailaviacomplect.inro.link"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mailaviacomplect\.inro\.link[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182982; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname maileecommission.inro.link"; dns.query; content:"maileecommission.inro.link"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])maileecommission\.inro\.link$/i"; classtype:trojan-activity; sid:4182991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname maileecommission.inro.link"; flow:to_server,established; http.header; content: "Host|3a| maileecommission.inro.link"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])maileecommission\.inro\.link[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4182992; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Domain mfa-tj.download"; dns.query; content:"mfa-tj.download"; nocase; pcre: "/(^|[^A-Za-z0-9-])mfa\-tj\.download$/i"; classtype:trojan-activity; sid:4183001; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Domain mfa-tj.download"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mfa-tj.download"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mfa\-tj\.download[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4183002; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname minsk.gov.by.attachment-posts.cc"; dns.query; content:"minsk.gov.by.attachment-posts.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])minsk\.gov\.by\.attachment\-posts\.cc$/i"; classtype:trojan-activity; sid:4183011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname minsk.gov.by.attachment-posts.cc"; flow:to_server,established; http.header; content: "Host|3a| minsk.gov.by.attachment-posts.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])minsk\.gov\.by\.attachment\-posts\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4183012; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname moscpcpipe.inro.link"; dns.query; content:"moscpcpipe.inro.link"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])moscpcpipe\.inro\.link$/i"; classtype:trojan-activity; sid:4183021; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname moscpcpipe.inro.link"; flow:to_server,established; http.header; content: "Host|3a| moscpcpipe.inro.link"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])moscpcpipe\.inro\.link[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4183022; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Domain mypolicy.top"; dns.query; content:"mypolicy.top"; nocase; pcre: "/(^|[^A-Za-z0-9-])mypolicy\.top$/i"; classtype:trojan-activity; sid:4183031; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Domain mypolicy.top"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mypolicy.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mypolicy\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4183032; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname newint.mid.ru.owaut.ru"; dns.query; content:"newint.mid.ru.owaut.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])newint\.mid\.ru\.owaut\.ru$/i"; classtype:trojan-activity; sid:4183041; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname newint.mid.ru.owaut.ru"; flow:to_server,established; http.header; content: "Host|3a| newint.mid.ru.owaut.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])newint\.mid\.ru\.owaut\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4183042; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Domain openingfile.net"; dns.query; content:"openingfile.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])openingfile\.net$/i"; classtype:trojan-activity; sid:4183051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Domain openingfile.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"openingfile.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])openingfile\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4183052; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Domain portal-inbox.com"; dns.query; content:"portal-inbox.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])portal\-inbox\.com$/i"; classtype:trojan-activity; sid:4183061; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Domain portal-inbox.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"portal-inbox.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])portal\-inbox\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4183062; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname rnail.iterrf.ru.inro.link"; dns.query; content:"rnail.iterrf.ru.inro.link"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])rnail\.iterrf\.ru\.inro\.link$/i"; classtype:trojan-activity; sid:4183071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname rnail.iterrf.ru.inro.link"; flow:to_server,established; http.header; content: "Host|3a| rnail.iterrf.ru.inro.link"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])rnail\.iterrf\.ru\.inro\.link[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4183072; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname rnail.mintrans.gov.ru.inro.link"; dns.query; content:"rnail.mintrans.gov.ru.inro.link"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])rnail\.mintrans\.gov\.ru\.inro\.link$/i"; classtype:trojan-activity; sid:4183081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname rnail.mintrans.gov.ru.inro.link"; flow:to_server,established; http.header; content: "Host|3a| rnail.mintrans.gov.ru.inro.link"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])rnail\.mintrans\.gov\.ru\.inro\.link[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4183082; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname rnail.rnid.ru.inro.link"; dns.query; content:"rnail.rnid.ru.inro.link"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])rnail\.rnid\.ru\.inro\.link$/i"; classtype:trojan-activity; sid:4183091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname rnail.rnid.ru.inro.link"; flow:to_server,established; http.header; content: "Host|3a| rnail.rnid.ru.inro.link"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])rnail\.rnid\.ru\.inro\.link[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4183092; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname srm.mfa.tj.uzdaily.news"; dns.query; content:"srm.mfa.tj.uzdaily.news"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])srm\.mfa\.tj\.uzdaily\.news$/i"; classtype:trojan-activity; sid:4183101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname srm.mfa.tj.uzdaily.news"; flow:to_server,established; http.header; content: "Host|3a| srm.mfa.tj.uzdaily.news"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])srm\.mfa\.tj\.uzdaily\.news[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4183102; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname sts.mfa.gov.tr.mypolicy.top"; dns.query; content:"sts.mfa.gov.tr.mypolicy.top"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sts\.mfa\.gov\.tr\.mypolicy\.top$/i"; classtype:trojan-activity; sid:4183111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname sts.mfa.gov.tr.mypolicy.top"; flow:to_server,established; http.header; content: "Host|3a| sts.mfa.gov.tr.mypolicy.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sts\.mfa\.gov\.tr\.mypolicy\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4183112; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert dns any any -> any any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Hostname true.az-link.email"; dns.query; content:"true.az-link.email"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])true\.az\-link\.email$/i"; classtype:trojan-activity; sid:4183121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing HTTP Hostname true.az-link.email"; flow:to_server,established; http.header; content: "Host|3a| true.az-link.email"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])true\.az\-link\.email[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4183122; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> 172.86.75.220 $HTTP_PORTS (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL http|3a|//172.86.75.220/arxiv.rar"; flow:to_server,established; http.header; content:"172.86.75.220"; fast_pattern; nocase; http.uri; content:"/arxiv.rar"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> 162.33.177.195 $HTTP_PORTS (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL http|3a|//162.33.177.195/"; flow:to_server,established; http.header; content:"162.33.177.195"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> 168.100.11.137 $HTTP_PORTS (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL http|3a|//168.100.11.137/"; flow:to_server,established; http.header; content:"168.100.11.137"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> 45.61.136.175 $HTTP_PORTS (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL http|3a|//45.61.136.175/"; flow:to_server,established; http.header; content:"45.61.136.175"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL http|3a|//mail.mfa.az-link.email/+csco+0075676763663a2f2f31302e3130302e3230302e32++/+csco+0075676763663a2f2f31302e3130302e3230302e32++/_task=login"; flow:to_server,established; http.header; content:"mail.mfa.az-link.email"; fast_pattern; nocase; http.uri; content:"/+csco+0075676763663a2f2f31302e3130302e3230302e32++/+csco+0075676763663a2f2f31302e3130302e3230302e32++/_task=login"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183171; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> 143.198.80.235 $HTTP_PORTS (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL http|3a|//143.198.80.235/upd.exe"; flow:to_server,established; http.header; content:"143.198.80.235"; fast_pattern; nocase; http.uri; content:"/upd.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> 172.86.75.220 $HTTP_PORTS (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL http|3a|//172.86.75.220/02.08.2022.exe"; flow:to_server,established; http.header; content:"172.86.75.220"; fast_pattern; nocase; http.uri; content:"/02.08.2022.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> 172.86.75.220 $HTTP_PORTS (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL http|3a|//172.86.75.220/123.hta"; flow:to_server,established; http.header; content:"172.86.75.220"; fast_pattern; nocase; http.uri; content:"/123.hta"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> 178.20.45.52 $HTTP_PORTS (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL http|3a|//178.20.45.52/sec/pes.exe"; flow:to_server,established; http.header; content:"178.20.45.52"; fast_pattern; nocase; http.uri; content:"/sec/pes.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> 193.149.176.254 $HTTP_PORTS (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL http|3a|//193.149.176.254/file.exe"; flow:to_server,established; http.header; content:"193.149.176.254"; fast_pattern; nocase; http.uri; content:"/file.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> 193.149.176.254 $HTTP_PORTS (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL http|3a|//193.149.176.254/hstart.exe"; flow:to_server,established; http.header; content:"193.149.176.254"; fast_pattern; nocase; http.uri; content:"/hstart.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> 212.24.106.218 $HTTP_PORTS (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL http|3a|//212.24.106.218/spoolsv.exe"; flow:to_server,established; http.header; content:"212.24.106.218"; fast_pattern; nocase; http.uri; content:"/spoolsv.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> 45.61.136.64 $HTTP_PORTS (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL http|3a|//45.61.136.64/update.exe"; flow:to_server,established; http.header; content:"45.61.136.64"; fast_pattern; nocase; http.uri; content:"/update.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> 45.61.137.32 $HTTP_PORTS (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL http|3a|//45.61.137.32/attachments/download/02.08.2022.exe"; flow:to_server,established; http.header; content:"45.61.137.32"; fast_pattern; nocase; http.uri; content:"/attachments/download/02.08.2022.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> 45.61.137.32 $HTTP_PORTS (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL http|3a|//45.61.137.32/Scanned_document.exe"; flow:to_server,established; http.header; content:"45.61.137.32"; fast_pattern; nocase; http.uri; content:"/Scanned_document.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> 45.61.137.32 $HTTP_PORTS (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL http|3a|//45.61.137.32/svvhost.rar"; flow:to_server,established; http.header; content:"45.61.137.32"; fast_pattern; nocase; http.uri; content:"/svvhost.rar"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> 45.61.137.32 $HTTP_PORTS (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL http|3a|//45.61.137.32/www.exe"; flow:to_server,established; http.header; content:"45.61.137.32"; fast_pattern; nocase; http.uri; content:"/www.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> 89.22.233.149 $HTTP_PORTS (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL http|3a|//89.22.233.149/ms7.hta"; flow:to_server,established; http.header; content:"89.22.233.149"; fast_pattern; nocase; http.uri; content:"/ms7.hta"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> 89.22.233.149 $HTTP_PORTS (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL http|3a|//89.22.233.149/Spisok_sotrudnikov_1_chast.exe"; flow:to_server,established; http.header; content:"89.22.233.149"; fast_pattern; nocase; http.uri; content:"/Spisok_sotrudnikov_1_chast.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> 94.103.86.38 $HTTP_PORTS (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL http|3a|//94.103.86.38/file.exe"; flow:to_server,established; http.header; content:"94.103.86.38"; fast_pattern; nocase; http.uri; content:"/file.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> 94.103.86.38 $HTTP_PORTS (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL http|3a|//94.103.86.38/ms1.hta"; flow:to_server,established; http.header; content:"94.103.86.38"; fast_pattern; nocase; http.uri; content:"/ms1.hta"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183331; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> 94.103.86.38 $HTTP_PORTS (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL http|3a|//94.103.86.38/wz.exe"; flow:to_server,established; http.header; content:"94.103.86.38"; fast_pattern; nocase; http.uri; content:"/wz.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183341; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL http|3a|//account.mail.ru.sigriup.site/"; flow:to_server,established; http.header; content:"account.mail.ru.sigriup.site"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL http|3a|//account.nail.ru.horme.info/"; flow:to_server,established; http.header; content:"account.nail.ru.horme.info"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183361; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL http|3a|//becloud.website/svchest.exe"; flow:to_server,established; http.header; content:"becloud.website"; fast_pattern; nocase; http.uri; content:"/svchest.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL http|3a|//e.mail.ru.autn.tech/"; flow:to_server,established; http.header; content:"e.mail.ru.autn.tech"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183381; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL http|3a|//e.mail.ru.portal-inbox.com/"; flow:to_server,established; http.header; content:"e.mail.ru.portal-inbox.com"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183391; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL http|3a|//e.nail.ru.imbox.link/home/files/%D0%98%D0%BD%D1%84%D0%BE%D1%80%D0%BC%D0%B0%D1%86%D0%B8%D0%BE%D0%BD%D0%BD%D0%BE%D0%B5%20%D0%BF%D0%B8%D1%81%D1%8C%D0%BC%D0%BE.rar"; flow:to_server,established; http.header; content:"e.nail.ru.imbox.link"; fast_pattern; nocase; http.uri; content:"/home/files/%D0%98%D0%BD%D1%84%D0%BE%D1%80%D0%BC%D0%B0%D1%86%D0%B8%D0%BE%D0%BD%D0%BD%D0%BE%D0%B5%20%D0%BF%D0%B8%D1%81%D1%8C%D0%BC%D0%BE.rar"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183401; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL http|3a|//iacis.ru/download/spoolsv.exe"; flow:to_server,established; http.header; content:"iacis.ru"; fast_pattern; nocase; http.uri; content:"/download/spoolsv.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL http|3a|//iacis.ru/log/spoolsv.exe"; flow:to_server,established; http.header; content:"iacis.ru"; fast_pattern; nocase; http.uri; content:"/log/spoolsv.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL http|3a|//mfa-tj.download/26478_0001.rar"; flow:to_server,established; http.header; content:"mfa-tj.download"; fast_pattern; nocase; http.uri; content:"/26478_0001.rar"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183431; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL https|3a|//45.61.139.224/"; tls.sni; content:"45.61.139.224"; tag:session,600,seconds; classtype:trojan-activity; sid:4183441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL https|3a|//api.telegram.org/bot5885840251|3a|AAG8HoCjrI1QANXkA4oqnJ60lgPP7w86Clg/sendMessage?chat_id=5683385422"; tls.sni; content:"api.telegram.org"; tag:session,600,seconds; classtype:trojan-activity; sid:4183451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL https|3a|//api.telegram.org/bot5974645737|3a|AAEj2Y0MFGEHmvrFSINWeZcAsbjuUkLysnA/sendMessage?chat_id=5683385422"; tls.sni; content:"api.telegram.org"; tag:session,600,seconds; classtype:trojan-activity; sid:4183461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL https|3a|//attachment-posts.cc/files.rar"; tls.sni; content:"attachment-posts.cc"; tag:session,600,seconds; classtype:trojan-activity; sid:4183471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL https|3a|//becloud.website/obfuscated_compressed_some.exe"; tls.sni; content:"becloud.website"; tag:session,600,seconds; classtype:trojan-activity; sid:4183481; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL https|3a|//becloud.website/svchest.exe"; tls.sni; content:"becloud.website"; tag:session,600,seconds; classtype:trojan-activity; sid:4183491; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL https|3a|//capitaltrust.uz/file.pdf"; tls.sni; content:"capitaltrust.uz"; tag:session,600,seconds; classtype:trojan-activity; sid:4183501; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL https|3a|//capitaltrust.uz/lsaasc.exe"; tls.sni; content:"capitaltrust.uz"; tag:session,600,seconds; classtype:trojan-activity; sid:4183511; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL https|3a|//capitaltrust.uz/lsaca.exe"; tls.sni; content:"capitaltrust.uz"; tag:session,600,seconds; classtype:trojan-activity; sid:4183521; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL https|3a|//capitaltrust.uz/lsacs.exe"; tls.sni; content:"capitaltrust.uz"; tag:session,600,seconds; classtype:trojan-activity; sid:4183531; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL https|3a|//capitaltrust.uz/s.hta"; tls.sni; content:"capitaltrust.uz"; tag:session,600,seconds; classtype:trojan-activity; sid:4183541; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL https|3a|//capitaltrust.uz/stel.hta"; tls.sni; content:"capitaltrust.uz"; tag:session,600,seconds; classtype:trojan-activity; sid:4183551; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL https|3a|//cloud.archive-downloader.com/lsacs.exe"; tls.sni; content:"cloud.archive-downloader.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4183561; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL https|3a|//cloud.archive-downloader.com/s.hta"; tls.sni; content:"cloud.archive-downloader.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4183571; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL https|3a|//e-aks.uz/file.pdf"; tls.sni; content:"e-aks.uz"; tag:session,600,seconds; classtype:trojan-activity; sid:4183581; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL https|3a|//e-aks.uz/lsacs.exe"; tls.sni; content:"e-aks.uz"; tag:session,600,seconds; classtype:trojan-activity; sid:4183591; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL https|3a|//e-aks.uz/s.hta"; tls.sni; content:"e-aks.uz"; tag:session,600,seconds; classtype:trojan-activity; sid:4183601; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL https|3a|//e.nail.ru.imbox.link/"; tls.sni; content:"e.nail.ru.imbox.link"; tag:session,600,seconds; classtype:trojan-activity; sid:4183611; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL https|3a|//iacis.ru/download/spoolsv.exe"; tls.sni; content:"iacis.ru"; tag:session,600,seconds; classtype:trojan-activity; sid:4183621; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL https|3a|//iacis.ru/log/spoolsv.exe"; tls.sni; content:"iacis.ru"; tag:session,600,seconds; classtype:trojan-activity; sid:4183631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL https|3a|//mail.mfa.az-link.email/+CSCO+0075676763663A2F2F31302E3130302E3230302E32++/+CSCO+0075676763663A2F2F31302E3130302E3230302E32++/_task=login/"; tls.sni; content:"mail.mfa.az-link.email"; tag:session,600,seconds; classtype:trojan-activity; sid:4183641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL https|3a|//mfa-tj.download/lo.hta"; tls.sni; content:"mfa-tj.download"; tag:session,600,seconds; classtype:trojan-activity; sid:4183651; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL https|3a|//portal-inbox.com/"; tls.sni; content:"portal-inbox.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4183661; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e342 [misp-galaxy:malpedia="Loda",misp-galaxy:malpedia="Ave Maria",misp-galaxy:rat="Warzone",tlp:white] Outgoing URL https|3a|//telegram.akipress.news/1r.exe"; tls.sni; content:"telegram.akipress.news"; tag:session,600,seconds; classtype:trojan-activity; sid:4183671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/342;) alert ip $HOME_NET any -> 23.148.145.237 any (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing To IP: 23.148.145.237"; classtype:trojan-activity; sid:4183731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert ip $HOME_NET any -> 69.84.240.57 any (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing To IP: 69.84.240.57"; classtype:trojan-activity; sid:4183741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert ip $HOME_NET any -> 103.40.123.34 any (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing To IP: 103.40.123.34"; classtype:trojan-activity; sid:4183751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert ip $HOME_NET any -> 103.184.128.180 any (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing To IP: 103.184.128.180"; classtype:trojan-activity; sid:4183761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert ip $HOME_NET any -> 103.184.128.244 any (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing To IP: 103.184.128.244"; classtype:trojan-activity; sid:4183771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert ip $HOME_NET any -> 194.195.213.62 any (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing To IP: 194.195.213.62"; classtype:trojan-activity; sid:4183781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert ip $HOME_NET any -> 211.232.48.65 any (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing To IP: 211.232.48.65"; classtype:trojan-activity; sid:4183791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert ip $HOME_NET any -> 103.65.236.53 any (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing To IP: 103.65.236.53"; classtype:trojan-activity; sid:4183801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert ip $HOME_NET any -> 177.73.237.55 any (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing To IP: 177.73.237.55"; classtype:trojan-activity; sid:4183811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert ip $HOME_NET any -> 221.120.144.101 any (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing To IP: 221.120.144.101"; classtype:trojan-activity; sid:4183821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert dns any any -> any any (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Hostname p1.feefreepool.net"; dns.query; content:"p1.feefreepool.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])p1\.feefreepool\.net$/i"; classtype:trojan-activity; sid:4183831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing HTTP Hostname p1.feefreepool.net"; flow:to_server,established; http.header; content: "Host|3a| p1.feefreepool.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])p1\.feefreepool\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4183832; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert dns any any -> any any (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Hostname p2.feefreepool.net"; dns.query; content:"p2.feefreepool.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])p2\.feefreepool\.net$/i"; classtype:trojan-activity; sid:4183841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing HTTP Hostname p2.feefreepool.net"; flow:to_server,established; http.header; content: "Host|3a| p2.feefreepool.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])p2\.feefreepool\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4183842; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert dns any any -> any any (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Hostname p3.feefreepool.net"; dns.query; content:"p3.feefreepool.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])p3\.feefreepool\.net$/i"; classtype:trojan-activity; sid:4183851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing HTTP Hostname p3.feefreepool.net"; flow:to_server,established; http.header; content: "Host|3a| p3.feefreepool.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])p3\.feefreepool\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4183852; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert dns any any -> any any (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Domain gb7ni5rgeexdcncj.onion"; dns.query; content:"gb7ni5rgeexdcncj.onion"; nocase; pcre: "/(^|[^A-Za-z0-9-])gb7ni5rgeexdcncj\.onion$/i"; classtype:trojan-activity; sid:4183861; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing HTTP Domain gb7ni5rgeexdcncj.onion"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gb7ni5rgeexdcncj.onion"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gb7ni5rgeexdcncj\.onion[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4183862; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert dns any any -> any any (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Domain mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.zero"; dns.query; content:"mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.zero"; nocase; pcre: "/(^|[^A-Za-z0-9-])mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq\.zero$/i"; classtype:trojan-activity; sid:4183871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing HTTP Domain mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.zero"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.zero"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq\.zero[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4183872; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert http $HOME_NET any -> 23.148.145.237 180 (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing URL http|3a|//23.148.145.237|3a|180/update.7z"; flow:to_server,established; http.header; content:"23.148.145.237"; fast_pattern; nocase; http.uri; content:"/update.7z"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert http $HOME_NET any -> 69.84.240.57 180 (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing URL http|3a|//69.84.240.57|3a|180/AppServ180.zip"; flow:to_server,established; http.header; content:"69.84.240.57"; fast_pattern; nocase; http.uri; content:"/AppServ180.zip"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert http $HOME_NET any -> 103.40.123.34 $HTTP_PORTS (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing URL http|3a|//103.40.123.34/k.php"; flow:to_server,established; http.header; content:"103.40.123.34"; fast_pattern; nocase; http.uri; content:"/k.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert http $HOME_NET any -> 103.40.123.34 $HTTP_PORTS (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing URL http|3a|//103.40.123.34/7z32.dll"; flow:to_server,established; http.header; content:"103.40.123.34"; fast_pattern; nocase; http.uri; content:"/7z32.dll"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert http $HOME_NET any -> 103.40.123.34 $HTTP_PORTS (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing URL http|3a|//103.40.123.34/7z32.exe"; flow:to_server,established; http.header; content:"103.40.123.34"; fast_pattern; nocase; http.uri; content:"/7z32.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert http $HOME_NET any -> 103.40.123.34 $HTTP_PORTS (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing URL http|3a|//103.40.123.34/std2.7z"; flow:to_server,established; http.header; content:"103.40.123.34"; fast_pattern; nocase; http.uri; content:"/std2.7z"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert http $HOME_NET any -> 103.40.123.34 $HTTP_PORTS (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing URL http|3a|//103.40.123.34/dwn.php?d=rdpcIip.exe"; flow:to_server,established; http.header; content:"103.40.123.34"; fast_pattern; nocase; http.uri; content:"/dwn.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert http $HOME_NET any -> 103.40.123.34 $HTTP_PORTS (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing URL http|3a|//103.40.123.34/dwn.php?d=7z32.exe"; flow:to_server,established; http.header; content:"103.40.123.34"; fast_pattern; nocase; http.uri; content:"/dwn.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert http $HOME_NET any -> 103.40.123.34 $HTTP_PORTS (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing URL http|3a|//103.40.123.34/dwn.php?d=7z32.dll"; flow:to_server,established; http.header; content:"103.40.123.34"; fast_pattern; nocase; http.uri; content:"/dwn.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert http $HOME_NET any -> 103.126.6.233 180 (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing URL http|3a|//103.126.6.233|3a|180/AppServ180.zip"; flow:to_server,established; http.header; content:"103.126.6.233"; fast_pattern; nocase; http.uri; content:"/AppServ180.zip"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert http $HOME_NET any -> 103.40.123.34 $HTTP_PORTS (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing URL http|3a|//103.40.123.34/srch.7z"; flow:to_server,established; http.header; content:"103.40.123.34"; fast_pattern; nocase; http.uri; content:"/srch.7z"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert http $HOME_NET any -> 103.40.123.34 $HTTP_PORTS (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing URL http|3a|//103.40.123.34/desktop.txt"; flow:to_server,established; http.header; content:"103.40.123.34"; fast_pattern; nocase; http.uri; content:"/desktop.txt"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4183991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert http $HOME_NET any -> 103.40.123.34 $HTTP_PORTS (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing URL http|3a|//103.40.123.34/bklocal2.php"; flow:to_server,established; http.header; content:"103.40.123.34"; fast_pattern; nocase; http.uri; content:"/bklocal2.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4184001; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert http $HOME_NET any -> 103.40.123.34 $HTTP_PORTS (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing URL http|3a|//103.40.123.34/bklocal4.php"; flow:to_server,established; http.header; content:"103.40.123.34"; fast_pattern; nocase; http.uri; content:"/bklocal4.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4184011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert http $HOME_NET any -> 103.40.123.34 $HTTP_PORTS (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing URL http|3a|//103.40.123.34/update.7z"; flow:to_server,established; http.header; content:"103.40.123.34"; fast_pattern; nocase; http.uri; content:"/update.7z"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4184021; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert http $HOME_NET any -> 194.195.213.62 180 (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing URL http|3a|//194.195.213.62|3a|180/srch.7z"; flow:to_server,established; http.header; content:"194.195.213.62"; fast_pattern; nocase; http.uri; content:"/srch.7z"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4184031; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert http $HOME_NET any -> 103.184.128.244 $HTTP_PORTS (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing URL http|3a|//103.184.128.244/update.7z"; flow:to_server,established; http.header; content:"103.184.128.244"; fast_pattern; nocase; http.uri; content:"/update.7z"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4184041; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert http $HOME_NET any -> 211.232.48.65 180 (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing URL http|3a|//211.232.48.65|3a|180/update.7z"; flow:to_server,established; http.header; content:"211.232.48.65"; fast_pattern; nocase; http.uri; content:"/update.7z"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4184051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing URL http|3a|//p2.feefreepool.net/cgi-bin/prometei.cgi"; flow:to_server,established; http.header; content:"p2.feefreepool.net"; fast_pattern; nocase; http.uri; content:"/cgi-bin/prometei.cgi"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4184061; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing URL http|3a|//mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.zero/cgi-bin/prometei.cgi"; flow:to_server,established; http.header; content:"mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.zero"; fast_pattern; nocase; http.uri; content:"/cgi-bin/prometei.cgi"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4184071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing URL https|3a|//gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi"; tls.sni; content:"gb7ni5rgeexdcncj.onion"; tag:session,600,seconds; classtype:trojan-activity; sid:4184081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e343 [misp-galaxy:malpedia="Prometei",tlp:white] Outgoing URL http|3a|//mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi"; flow:to_server,established; http.header; content:"mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p"; fast_pattern; nocase; http.uri; content:"/cgi-bin/prometei.cgi"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4184091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/343;) alert ip $HOME_NET any -> 193.169.255.78 any (msg: "MISP e344 [misp-galaxy:ransomware="Xorist",tlp:white] Outgoing To IP: 193.169.255.78"; classtype:trojan-activity; sid:4184581; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/344;) alert dns any any -> any any (msg: "MISP e344 [misp-galaxy:ransomware="Xorist",tlp:white] Domain clipper.guru"; dns.query; content:"clipper.guru"; nocase; pcre: "/(^|[^A-Za-z0-9-])clipper\.guru$/i"; classtype:trojan-activity; sid:4184601; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/344;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e344 [misp-galaxy:ransomware="Xorist",tlp:white] Outgoing HTTP Domain clipper.guru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"clipper.guru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])clipper\.guru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4184602; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/344;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e344 [misp-galaxy:ransomware="Xorist",tlp:white] Source Email Address: hack3dlikeapro@proton.me"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"hack3dlikeapro@proton.me"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4184621; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/344;) alert http $HOME_NET any -> 193.169.255.78 $HTTP_PORTS (msg: "MISP e344 [misp-galaxy:ransomware="Xorist",tlp:white] Outgoing URL http|3a|//193.169.255.78/fw-apgksdtpx4hoaujjmbvdnxpohz.pdf.zip"; flow:to_server,established; http.header; content:"193.169.255.78"; fast_pattern; nocase; http.uri; content:"/fw-apgksdtpx4hoaujjmbvdnxpohz.pdf.zip"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4184631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/344;) alert http $HOME_NET any -> 193.169.255.78 $HTTP_PORTS (msg: "MISP e344 [misp-galaxy:ransomware="Xorist",tlp:white] Outgoing URL http|3a|//193.169.255.78/fw-cpgk2xfpx4hoaujjmbvdnxpohz.pdf.zip"; flow:to_server,established; http.header; content:"193.169.255.78"; fast_pattern; nocase; http.uri; content:"/fw-cpgk2xfpx4hoaujjmbvdnxpohz.pdf.zip"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4184641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/344;) alert ip $HOME_NET any -> 144.76.136.153 any (msg: "MISP e344 [misp-galaxy:ransomware="Xorist",tlp:white] Outgoing To IP: 144.76.136.153"; classtype:trojan-activity; sid:4184741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/344;) alert dns any any -> any any (msg: "MISP e344 [misp-galaxy:ransomware="Xorist",tlp:white] Domain transfer.sh"; dns.query; content:"transfer.sh"; nocase; pcre: "/(^|[^A-Za-z0-9-])transfer\.sh$/i"; classtype:trojan-activity; sid:4184751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/344;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e344 [misp-galaxy:ransomware="Xorist",tlp:white] Outgoing HTTP Domain transfer.sh"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"transfer.sh"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])transfer\.sh[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4184752; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/344;) alert ip $HOME_NET any -> 64.34.216.50 any (msg: "MISP e345 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 64.34.216.50"; classtype:trojan-activity; sid:4184801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/345;) alert ip $HOME_NET any -> 45.147.26.45 any (msg: "MISP e345 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 45.147.26.45"; classtype:trojan-activity; sid:4184811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/345;) alert ip $HOME_NET any -> 45.32.101.7 any (msg: "MISP e345 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 45.32.101.7"; classtype:trojan-activity; sid:4184821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/345;) alert ip $HOME_NET any -> 64.34.216.44 any (msg: "MISP e345 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 64.34.216.44"; classtype:trojan-activity; sid:4184831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/345;) alert ip $HOME_NET any -> 185.80.201.4 any (msg: "MISP e345 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 185.80.201.4"; classtype:trojan-activity; sid:4184841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/345;) alert ip $HOME_NET any -> 103.192.226.87 any (msg: "MISP e345 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 103.192.226.87"; classtype:trojan-activity; sid:4184851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/345;) alert ip $HOME_NET any -> 194.124.227.90 any (msg: "MISP e345 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 194.124.227.90"; classtype:trojan-activity; sid:4184861; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/345;) alert ip $HOME_NET any -> 43.254.218.128 any (msg: "MISP e345 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 43.254.218.128"; classtype:trojan-activity; sid:4184871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/345;) alert ip $HOME_NET any -> 62.233.57.49 any (msg: "MISP e345 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 62.233.57.49"; classtype:trojan-activity; sid:4184881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/345;) alert ip $HOME_NET any -> 5.34.178.156 any (msg: "MISP e345 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 5.34.178.156"; classtype:trojan-activity; sid:4184911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/345;) alert ip $HOME_NET any -> 101.36.125.203 any (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 101.36.125.203"; classtype:trojan-activity; sid:4186101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert ip $HOME_NET any -> 103.159.132.70 any (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 103.159.132.70"; classtype:trojan-activity; sid:4186111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert ip $HOME_NET any -> 103.15.28.145 any (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 103.15.28.145"; classtype:trojan-activity; sid:4186121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert ip $HOME_NET any -> 103.15.28.208 443 (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 103.15.28.208|443"; classtype:trojan-activity; sid:4186131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert ip $HOME_NET any -> 103.15.28.208 80 (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 103.15.28.208|80"; classtype:trojan-activity; sid:4186141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert ip $HOME_NET any -> 103.200.97.150 any (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 103.200.97.150"; classtype:trojan-activity; sid:4186151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert ip $HOME_NET any -> 103.75.190.50 any (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 103.75.190.50"; classtype:trojan-activity; sid:4186161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert ip $HOME_NET any -> 103.91.64.134 any (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 103.91.64.134"; classtype:trojan-activity; sid:4186171; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert ip $HOME_NET any -> 107.167.64.4 443 (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 107.167.64.4|443"; classtype:trojan-activity; sid:4186181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert ip $HOME_NET any -> 107.178.71.211 any (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 107.178.71.211"; classtype:trojan-activity; sid:4186191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert ip $HOME_NET any -> 110.42.64.64 24680 (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 110.42.64.64|24680"; classtype:trojan-activity; sid:4186201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert ip $HOME_NET any -> 155.94.200.209 any (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 155.94.200.209"; classtype:trojan-activity; sid:4186211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert ip $HOME_NET any -> 155.94.200.212 any (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 155.94.200.212"; classtype:trojan-activity; sid:4186221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert ip $HOME_NET any -> 176.118.167.36 any (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 176.118.167.36"; classtype:trojan-activity; sid:4186231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert ip $HOME_NET any -> 185.239.226.17 any (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 185.239.226.17"; classtype:trojan-activity; sid:4186241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert ip $HOME_NET any -> 202.58.105.38 80 (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 202.58.105.38|80"; classtype:trojan-activity; sid:4186261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert ip $HOME_NET any -> 45.248.87.162 any (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 45.248.87.162"; classtype:trojan-activity; sid:4186271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert ip $HOME_NET any -> 45.43.50.197 any (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 45.43.50.197"; classtype:trojan-activity; sid:4186281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert ip $HOME_NET any -> 46.8.198.134 any (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 46.8.198.134"; classtype:trojan-activity; sid:4186291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert ip $HOME_NET any -> 5.206.224.167 any (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 5.206.224.167"; classtype:trojan-activity; sid:4186301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert ip $HOME_NET any -> 61.38.252.166 any (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 61.38.252.166"; classtype:trojan-activity; sid:4186311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert ip $HOME_NET any -> 86.105.227.115 any (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 86.105.227.115"; classtype:trojan-activity; sid:4186321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert ip $HOME_NET any -> 92.118.188.78 any (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 92.118.188.78"; classtype:trojan-activity; sid:4186331; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert ip $HOME_NET any -> 92.118.188.78 443 (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 92.118.188.78|443"; classtype:trojan-activity; sid:4186341; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert ip $HOME_NET any -> 95.217.1.81 any (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing To IP: 95.217.1.81"; classtype:trojan-activity; sid:4186351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL 123.51.185.75/jquery-3.3.1.slim.min.js"; flow:to_server,established; http.uri; content:"123.51.185.75/jquery-3.3.1.slim.min.js"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186361; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert dns any any -> any any (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Hostname fuckeryoumm.nmb.bet"; dns.query; content:"fuckeryoumm.nmb.bet"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])fuckeryoumm\.nmb\.bet$/i"; classtype:trojan-activity; sid:4186371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing HTTP Hostname fuckeryoumm.nmb.bet"; flow:to_server,established; http.header; content: "Host|3a| fuckeryoumm.nmb.bet"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])fuckeryoumm\.nmb\.bet[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4186372; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> 103.107.104.19 $HTTP_PORTS (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//103.107.104.19/2022/eu.docx"; flow:to_server,established; http.header; content:"103.107.104.19"; fast_pattern; nocase; http.uri; content:"/2022/eu.docx"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186381; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> 103.107.104.19 $HTTP_PORTS (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//103.107.104.19/DocConvDll.dll"; flow:to_server,established; http.header; content:"103.107.104.19"; fast_pattern; nocase; http.uri; content:"/DocConvDll.dll"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186391; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> 103.107.104.19 $HTTP_PORTS (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//103.107.104.19/FontEDL.exe"; flow:to_server,established; http.header; content:"103.107.104.19"; fast_pattern; nocase; http.uri; content:"/FontEDL.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186401; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> 103.107.104.19 $HTTP_PORTS (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//103.107.104.19/FontLog.dat"; flow:to_server,established; http.header; content:"103.107.104.19"; fast_pattern; nocase; http.uri; content:"/FontLog.dat"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> 103.15.28.145 6666 (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//103.15.28.145|3a|6666/maps/overlaybfpr?q=san%20diego%20ca%20zoo"; flow:to_server,established; http.header; content:"103.15.28.145"; fast_pattern; nocase; http.uri; content:"/maps/overlaybfpr"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> 103.75.190.50 443 (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//103.75.190.50|3a|443/maps/overlaybfpr?q=san%20diego%20ca%20zoo"; flow:to_server,established; http.header; content:"103.75.190.50"; fast_pattern; nocase; http.uri; content:"/maps/overlaybfpr"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186431; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> 103.85.24.158 $HTTP_PORTS (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//103.85.24.158/eeas.dat"; flow:to_server,established; http.header; content:"103.85.24.158"; fast_pattern; nocase; http.uri; content:"/eeas.dat"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> 107.178.71.211 $HTTP_PORTS (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//107.178.71.211/eu/DocConvDll.dll"; flow:to_server,established; http.header; content:"107.178.71.211"; fast_pattern; nocase; http.uri; content:"/eu/DocConvDll.dll"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> 107.178.71.211 $HTTP_PORTS (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//107.178.71.211/eu/FontEDL.exe"; flow:to_server,established; http.header; content:"107.178.71.211"; fast_pattern; nocase; http.uri; content:"/eu/FontEDL.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> 107.178.71.211 $HTTP_PORTS (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//107.178.71.211/eu/FontLog.dat"; flow:to_server,established; http.header; content:"107.178.71.211"; fast_pattern; nocase; http.uri; content:"/eu/FontLog.dat"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> 107.178.71.211 $HTTP_PORTS (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//107.178.71.211/eu/Report.pdf"; flow:to_server,established; http.header; content:"107.178.71.211"; fast_pattern; nocase; http.uri; content:"/eu/Report.pdf"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186481; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> 155.94.200.206 $HTTP_PORTS (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//155.94.200.206/images/branding/newtap.css"; flow:to_server,established; http.header; content:"155.94.200.206"; fast_pattern; nocase; http.uri; content:"/images/branding/newtap.css"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186491; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> 155.94.200.206 $HTTP_PORTS (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//155.94.200.206/resources/Invitation.jpg"; flow:to_server,established; http.header; content:"155.94.200.206"; fast_pattern; nocase; http.uri; content:"/resources/Invitation.jpg"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186501; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> 155.94.200.209 $HTTP_PORTS (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//155.94.200.209/assets/mail/fonts/v1/fonts/last.jpg"; flow:to_server,established; http.header; content:"155.94.200.209"; fast_pattern; nocase; http.uri; content:"/assets/mail/fonts/v1/fonts/last.jpg"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186511; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> 155.94.200.211 $HTTP_PORTS (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//155.94.200.211/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/server.gif"; flow:to_server,established; http.header; content:"155.94.200.211"; fast_pattern; nocase; http.uri; content:"/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/server.gif"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186521; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> 155.94.200.211 $HTTP_PORTS (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//155.94.200.211/news/live/world-europe-60830013"; flow:to_server,established; http.header; content:"155.94.200.211"; fast_pattern; nocase; http.uri; content:"/news/live/world-europe-60830013"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186531; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> 45.154.14.235 $HTTP_PORTS (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//45.154.14.235/2022/COVID-19%20travel%20restrictions%20EU%20reviews%20list%20of%20third%20countries.doc"; flow:to_server,established; http.header; content:"45.154.14.235"; fast_pattern; nocase; http.uri; content:"/2022/COVID-19%20travel%20restrictions%20EU%20reviews%20list%20of%20third%20countries.doc"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186541; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> 45.154.14.235 $HTTP_PORTS (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//45.154.14.235/2022/PotPlayer.dll"; flow:to_server,established; http.header; content:"45.154.14.235"; fast_pattern; nocase; http.uri; content:"/2022/PotPlayer.dll"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186551; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> 45.154.14.235 $HTTP_PORTS (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//45.154.14.235/2022/PotPlayer.exe"; flow:to_server,established; http.header; content:"45.154.14.235"; fast_pattern; nocase; http.uri; content:"/2022/PotPlayer.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186561; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> 45.154.14.235 $HTTP_PORTS (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//45.154.14.235/2022/PotPlayerDB.dat"; flow:to_server,established; http.header; content:"45.154.14.235"; fast_pattern; nocase; http.uri; content:"/2022/PotPlayerDB.dat"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186571; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> 45.154.14.235 $HTTP_PORTS (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//45.154.14.235/2023/PotPlayer.dll"; flow:to_server,established; http.header; content:"45.154.14.235"; fast_pattern; nocase; http.uri; content:"/2023/PotPlayer.dll"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186581; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> 45.154.14.235 $HTTP_PORTS (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//45.154.14.235/2023/PotPlayer.exe"; flow:to_server,established; http.header; content:"45.154.14.235"; fast_pattern; nocase; http.uri; content:"/2023/PotPlayer.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186591; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> 45.154.14.235 $HTTP_PORTS (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//45.154.14.235/2023/PotPlayerDB.dat"; flow:to_server,established; http.header; content:"45.154.14.235"; fast_pattern; nocase; http.uri; content:"/2023/PotPlayerDB.dat"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186601; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> 45.154.14.235 $HTTP_PORTS (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//45.154.14.235/mfa/Council%20conclusions%20on%20the%20European%20security%20situation.pdf"; flow:to_server,established; http.header; content:"45.154.14.235"; fast_pattern; nocase; http.uri; content:"/mfa/Council%20conclusions%20on%20the%20European%20security%20situation.pdf"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186611; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> 45.154.14.235 $HTTP_PORTS (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//45.154.14.235/PotPlayer.dll"; flow:to_server,established; http.header; content:"45.154.14.235"; fast_pattern; nocase; http.uri; content:"/PotPlayer.dll"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186621; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> 45.154.14.235 $HTTP_PORTS (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//45.154.14.235/PotPlayer.exe"; flow:to_server,established; http.header; content:"45.154.14.235"; fast_pattern; nocase; http.uri; content:"/PotPlayer.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> 45.154.14.235 $HTTP_PORTS (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//45.154.14.235/PotPlayerDB.dat"; flow:to_server,established; http.header; content:"45.154.14.235"; fast_pattern; nocase; http.uri; content:"/PotPlayerDB.dat"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> 45.154.14.235 $HTTP_PORTS (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//45.154.14.235/State_aid__Commission_approves_2022-2027_regional_aid_map_for_Greece.pdf"; flow:to_server,established; http.header; content:"45.154.14.235"; fast_pattern; nocase; http.uri; content:"/State_aid__Commission_approves_2022-2027_regional_aid_map_for_Greece.pdf"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186651; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> 95.217.1.81 $HTTP_PORTS (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//95.217.1.81/maps/overlayBFPR"; flow:to_server,established; http.header; content:"95.217.1.81"; fast_pattern; nocase; http.uri; content:"/maps/overlayBFPR"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186661; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> 95.217.1.81 $HTTP_PORTS (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//95.217.1.81/maps/overlaybfpr?q=san%20diego%20ca%20zoo"; flow:to_server,established; http.header; content:"95.217.1.81"; fast_pattern; nocase; http.uri; content:"/maps/overlaybfpr"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//upespr.com/PotPlayer.exe"; flow:to_server,established; http.header; content:"upespr.com"; fast_pattern; nocase; http.uri; content:"/PotPlayer.exe"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//upespr.com/PotPlayerDB.dat"; flow:to_server,established; http.header; content:"upespr.com"; fast_pattern; nocase; http.uri; content:"/PotPlayerDB.dat"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//upespr.com/State_aid__Commission_approves_2022-2027_regional_aid_map_for_Greece.pdf"; flow:to_server,established; http.header; content:"upespr.com"; fast_pattern; nocase; http.uri; content:"/State_aid__Commission_approves_2022-2027_regional_aid_map_for_Greece.pdf"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL http|3a|//www.zyber-i.com/europa/2022.zip"; flow:to_server,established; http.header; content:"www.zyber-i.com"; fast_pattern; nocase; http.uri; content:"/europa/2022.zip"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL https|3a|//45.154.14.235/2023/EU"; tls.sni; content:"45.154.14.235"; tag:session,600,seconds; classtype:trojan-activity; sid:4186721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL https|3a|//45.154.14.235/2023/PotPlayer.dll"; tls.sni; content:"45.154.14.235"; tag:session,600,seconds; classtype:trojan-activity; sid:4186731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL https|3a|//45.154.14.235/2023/PotPlayer.exe"; tls.sni; content:"45.154.14.235"; tag:session,600,seconds; classtype:trojan-activity; sid:4186741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL https|3a|//45.154.14.235/2023/PotPlayerDB.dat"; tls.sni; content:"45.154.14.235"; tag:session,600,seconds; classtype:trojan-activity; sid:4186751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL https|3a|//drive.google.com/uc?id=1BG0F1NdkPZOY6w2Y0YEs6nMGYLvSJiQo&export=download"; tls.sni; content:"drive.google.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4186761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL https|3a|//drive.google.com/uc?id=1ITPqIFuWOQZ08RmMUDMmzWpg69_EbLTO"; tls.sni; content:"drive.google.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4186771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL https|3a|//drive.google.com/uc?id=1NsauYfE3NaFmtI0M99RAe3DmOxO1bBak&export=download"; tls.sni; content:"drive.google.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4186781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL https|3a|//drive.google.com/uc?id=1trg9KJtKJUkKHgP57AhJSirw83-nIwyu&export=download"; tls.sni; content:"drive.google.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4186791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL https|3a|//president-office.gov.mm/sites/default/files/font/All-in-One_Pyidaungsu_Font.zip"; tls.sni; content:"president-office.gov.mm"; tag:session,600,seconds; classtype:trojan-activity; sid:4186801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e346 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white] Outgoing URL https|3a|//www.president-office.gov.mm/sites/default/files/font/All-in-One_Pyidaungsu_Font.zip"; tls.sni; content:"www.president-office.gov.mm"; tag:session,600,seconds; classtype:trojan-activity; sid:4186811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/346;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//counter.yadro.ru/hit?t44.1"; flow:to_server,established; http.header; content:"counter.yadro.ru"; fast_pattern; nocase; http.uri; content:"/hit"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//cloudxml.com.br|3a|443/"; flow:to_server,established; http.header; content:"cloudxml.com.br"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> 167.71.4.0 8080 (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//167.71.4.0|3a|8080/"; flow:to_server,established; http.header; content:"167.71.4.0"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//aprendeconmireia.com|3a|443/"; flow:to_server,established; http.header; content:"aprendeconmireia.com"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186861; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//cs.com.sg|3a|443/"; flow:to_server,established; http.header; content:"cs.com.sg"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//www.careofu.com|3a|443/"; flow:to_server,established; http.header; content:"www.careofu.com"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//copunupo.ac.zm|3a|443/"; flow:to_server,established; http.header; content:"copunupo.ac.zm"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL https|3a|//www.zachboyle.com/wp-admin/EA470ZrTGNkuA/"; tls.sni; content:"www.zachboyle.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4186901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> 169.60.181.70 8080 (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//169.60.181.70|3a|8080/"; flow:to_server,established; http.header; content:"169.60.181.70"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//blangkonstudio.com|3a|443/"; flow:to_server,established; http.header; content:"blangkonstudio.com"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//caimari.com|3a|443/"; flow:to_server,established; http.header; content:"caimari.com"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL https|3a|//www.elaboro.pl/wp-admin/J0hwyIMsk9YFIi/"; tls.sni; content:"www.elaboro.pl"; tag:session,600,seconds; classtype:trojan-activity; sid:4186941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//cocostrunket.com/wp-content/GlJk9/"; flow:to_server,established; http.header; content:"cocostrunket.com"; fast_pattern; nocase; http.uri; content:"/wp-content/GlJk9/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//cronoatletas.uy/headers/hPoIMx/"; flow:to_server,established; http.header; content:"cronoatletas.uy"; fast_pattern; nocase; http.uri; content:"/headers/hPoIMx/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL https|3a|//link2thai.com/Lock/aZNj/"; tls.sni; content:"link2thai.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4186971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL https|3a|//www.melisetotoaksesuar.com/catalog/pFyl/"; tls.sni; content:"www.melisetotoaksesuar.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4186981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//brittknight.com/PHP/Aqxf09OugZ/"; flow:to_server,established; http.header; content:"brittknight.com"; fast_pattern; nocase; http.uri; content:"/PHP/Aqxf09OugZ/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4186991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//demirelmarka.com/wp-admin/vMmu5VHyAbUgIU/"; flow:to_server,established; http.header; content:"demirelmarka.com"; fast_pattern; nocase; http.uri; content:"/wp-admin/vMmu5VHyAbUgIU/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187001; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//www.chacaltattoo.com.br/css/m51P4/"; flow:to_server,established; http.header; content:"www.chacaltattoo.com.br"; fast_pattern; nocase; http.uri; content:"/css/m51P4/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//meta4media.com/portfolio2/oYoSTW9fotg/"; flow:to_server,established; http.header; content:"meta4media.com"; fast_pattern; nocase; http.uri; content:"/portfolio2/oYoSTW9fotg/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187021; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//www.tugarden.com/docs/csv_import/rf6bMPAtbBPiDK/"; flow:to_server,established; http.header; content:"www.tugarden.com"; fast_pattern; nocase; http.uri; content:"/docs/csv_import/rf6bMPAtbBPiDK/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187031; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> 218.38.121.17 $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//218.38.121.17/"; flow:to_server,established; http.header; content:"218.38.121.17"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187041; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//coadymarine.com/Admin/ekamS7WWDkLwS44q/"; flow:to_server,established; http.header; content:"coadymarine.com"; fast_pattern; nocase; http.uri; content:"/Admin/ekamS7WWDkLwS44q/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//blacksmithbooks.com/blog/yinA3nT/"; flow:to_server,established; http.header; content:"blacksmithbooks.com"; fast_pattern; nocase; http.uri; content:"/blog/yinA3nT/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187061; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//www.vinyz.com/admin3693/BDFFgAZ6zBRumcUSG/"; flow:to_server,established; http.header; content:"www.vinyz.com"; fast_pattern; nocase; http.uri; content:"/admin3693/BDFFgAZ6zBRumcUSG/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//db.rikaz.tech/lCx76IlkrBtEsqNFA7/H9YoD9PuGAHGb3MHZz/"; flow:to_server,established; http.header; content:"db.rikaz.tech"; fast_pattern; nocase; http.uri; content:"/lCx76IlkrBtEsqNFA7/H9YoD9PuGAHGb3MHZz/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//isc.net.ua/themes/3rU/"; flow:to_server,established; http.header; content:"isc.net.ua"; fast_pattern; nocase; http.uri; content:"/themes/3rU/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//bytesendesign.nl/cgi-bin/oJYQiWRZITmFqE1H/"; flow:to_server,established; http.header; content:"bytesendesign.nl"; fast_pattern; nocase; http.uri; content:"/cgi-bin/oJYQiWRZITmFqE1H/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//luminesthemes.com/clone_controller/bKv5LELdgzGRhtVAiJ/"; flow:to_server,established; http.header; content:"luminesthemes.com"; fast_pattern; nocase; http.uri; content:"/clone_controller/bKv5LELdgzGRhtVAiJ/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//nlasandbox.com/facebookpage/JFqg2Aqkl3UPZi6xGz/"; flow:to_server,established; http.header; content:"nlasandbox.com"; fast_pattern; nocase; http.uri; content:"/facebookpage/JFqg2Aqkl3UPZi6xGz/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//cursosinterativos.com.br/semprichickoff2/pEl/"; flow:to_server,established; http.header; content:"cursosinterativos.com.br"; fast_pattern; nocase; http.uri; content:"/semprichickoff2/pEl/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> 178.62.112.199 8080 (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//178.62.112.199|3a|8080/"; flow:to_server,established; http.header; content:"178.62.112.199"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//contactworks.nl/images_old/NuEAhfF0PCFhvv/"; flow:to_server,established; http.header; content:"contactworks.nl"; fast_pattern; nocase; http.uri; content:"/images_old/NuEAhfF0PCFhvv/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//www.detertecnica.com/var/azLISfW/"; flow:to_server,established; http.header; content:"www.detertecnica.com"; fast_pattern; nocase; http.uri; content:"/var/azLISfW/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL https|3a|//copunupo.ac.zm/cgi-bin/bNoAgU9/"; tls.sni; content:"copunupo.ac.zm"; tag:session,600,seconds; classtype:trojan-activity; sid:4187171; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//dazzlecollections.co.za/THDXpHbk3YwA/HTolLw1ams3x/"; flow:to_server,established; http.header; content:"dazzlecollections.co.za"; fast_pattern; nocase; http.uri; content:"/THDXpHbk3YwA/HTolLw1ams3x/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> 172.105.226.75 8080 (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//172.105.226.75|3a|8080/"; flow:to_server,established; http.header; content:"172.105.226.75"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//voinet.ca/cgi-bin/RXDWHpi8dHHZf8/"; flow:to_server,established; http.header; content:"voinet.ca"; fast_pattern; nocase; http.uri; content:"/cgi-bin/RXDWHpi8dHHZf8/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL https|3a|//joomlaadvanced.com/marrowx/fbCctJXM0/"; tls.sni; content:"joomlaadvanced.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4187211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> 103.224.241.74 8080 (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//103.224.241.74|3a|8080/"; flow:to_server,established; http.header; content:"103.224.241.74"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL https|3a|//barkstage.es/wp-content/0E7NdYl7TZuHMJq7/"; tls.sni; content:"barkstage.es"; tag:session,600,seconds; classtype:trojan-activity; sid:4187231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//demarsoft.com/ALPHAINSTALLS.US/lTsjpA6/"; flow:to_server,established; http.header; content:"demarsoft.com"; fast_pattern; nocase; http.uri; content:"/ALPHAINSTALLS.US/lTsjpA6/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//laboritm2022.scienceontheweb.net/css/RoMZndfiNHp/"; flow:to_server,established; http.header; content:"laboritm2022.scienceontheweb.net"; fast_pattern; nocase; http.uri; content:"/css/RoMZndfiNHp/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//greycoconut.com/edm/71qUA/"; flow:to_server,established; http.header; content:"greycoconut.com"; fast_pattern; nocase; http.uri; content:"/edm/71qUA/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//zonainformatica.es/tienda/XCHJmidSYTkE/"; flow:to_server,established; http.header; content:"zonainformatica.es"; fast_pattern; nocase; http.uri; content:"/tienda/XCHJmidSYTkE/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//ftp.pricoat.com.mx/Fichas/3ybJLLXu5zqqn8Sx/"; flow:to_server,established; http.header; content:"ftp.pricoat.com.mx"; fast_pattern; nocase; http.uri; content:"/Fichas/3ybJLLXu5zqqn8Sx/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> 196.44.98.190 8080 (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//196.44.98.190|3a|8080/"; flow:to_server,established; http.header; content:"196.44.98.190"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//updailymail.com/cgi-bin/gBYmfqRi2utIS2n/"; flow:to_server,established; http.header; content:"updailymail.com"; fast_pattern; nocase; http.uri; content:"/cgi-bin/gBYmfqRi2utIS2n/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//copayucatan.com.mx/wp-includes/BqaJMpC3osZ0LRnKK/"; flow:to_server,established; http.header; content:"copayucatan.com.mx"; fast_pattern; nocase; http.uri; content:"/wp-includes/BqaJMpC3osZ0LRnKK/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL https|3a|//188.165.79.151/"; tls.sni; content:"188.165.79.151"; tag:session,600,seconds; classtype:trojan-activity; sid:4187321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//straightmailconnect.com/cgi-bin/inc/"; flow:to_server,established; http.header; content:"straightmailconnect.com"; fast_pattern; nocase; http.uri; content:"/cgi-bin/inc/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187331; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL https|3a|//bosny.com/aspnet_client/5VLxhxQCFMinu6/"; tls.sni; content:"bosny.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4187341; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL https|3a|//luzytextura.com/marfinance/gdwyLku/"; tls.sni; content:"luzytextura.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4187351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//xebabanhchohang.vn/wp-content/sux8Bfyu/"; flow:to_server,established; http.header; content:"xebabanhchohang.vn"; fast_pattern; nocase; http.uri; content:"/wp-content/sux8Bfyu/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187361; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//app.clubdedocentes.com/storage/DCcq9ekgH99sI/"; flow:to_server,established; http.header; content:"app.clubdedocentes.com"; fast_pattern; nocase; http.uri; content:"/storage/DCcq9ekgH99sI/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//swiftwebbox.com/cgi-bin/vNqoMtQilpysJYRwtGu/"; flow:to_server,established; http.header; content:"swiftwebbox.com"; fast_pattern; nocase; http.uri; content:"/cgi-bin/vNqoMtQilpysJYRwtGu/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187381; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//ruitaiwz.com/wp-admin/sV1NeVxLDiHJ1xm/"; flow:to_server,established; http.header; content:"ruitaiwz.com"; fast_pattern; nocase; http.uri; content:"/wp-admin/sV1NeVxLDiHJ1xm/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187391; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//ftp.agir-santeinternationale.com/doctors/KAacngW97n4ApzVBDdGy/"; flow:to_server,established; http.header; content:"ftp.agir-santeinternationale.com"; fast_pattern; nocase; http.uri; content:"/doctors/KAacngW97n4ApzVBDdGy/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187401; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//coinkub.com/wp-content/NL7Ddclhm/"; flow:to_server,established; http.header; content:"coinkub.com"; fast_pattern; nocase; http.uri; content:"/wp-content/NL7Ddclhm/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL https|3a|//geringer-muehle.de/wp-admin/G/"; tls.sni; content:"geringer-muehle.de"; tag:session,600,seconds; classtype:trojan-activity; sid:4187421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//vourakilina.gr/6vtelq/Xo7C7m/"; flow:to_server,established; http.header; content:"vourakilina.gr"; fast_pattern; nocase; http.uri; content:"/6vtelq/Xo7C7m/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187431; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//sourcecool.com/throng/iOD/"; flow:to_server,established; http.header; content:"sourcecool.com"; fast_pattern; nocase; http.uri; content:"/throng/iOD/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL https|3a|//amorecuidados.com.br/wp-admin/t3D/"; tls.sni; content:"amorecuidados.com.br"; tag:session,600,seconds; classtype:trojan-activity; sid:4187451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//coinkub.com/wp-content/WwrJvjumS/"; flow:to_server,established; http.header; content:"coinkub.com"; fast_pattern; nocase; http.uri; content:"/wp-content/WwrJvjumS/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//kabaruntukrakyat.com/wp-content/B9oJ0jh/"; flow:to_server,established; http.header; content:"kabaruntukrakyat.com"; fast_pattern; nocase; http.uri; content:"/wp-content/B9oJ0jh/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> 94.23.45.86 4143 (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//94.23.45.86|3a|4143/"; flow:to_server,established; http.header; content:"94.23.45.86"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187481; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//aibwireless.com/cgi-bin/zR2mG25Ssk8dH/"; flow:to_server,established; http.header; content:"aibwireless.com"; fast_pattern; nocase; http.uri; content:"/cgi-bin/zR2mG25Ssk8dH/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187491; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL https|3a|//audioselec.com/about/dDw5ggtyMojggTqhc/"; tls.sni; content:"audioselec.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4187501; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> 182.162.143.56 $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//182.162.143.56/"; flow:to_server,established; http.header; content:"182.162.143.56"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187511; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing URL http|3a|//ly.yjlianyi.top/wp-admin/NRAdJ/"; flow:to_server,established; http.header; content:"ly.yjlianyi.top"; fast_pattern; nocase; http.uri; content:"/wp-admin/NRAdJ/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4187521; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Hostname www.conceptagency.net"; dns.query; content:"www.conceptagency.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.conceptagency\.net$/i"; classtype:trojan-activity; sid:4187531; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Hostname www.conceptagency.net"; flow:to_server,established; http.header; content: "Host|3a| www.conceptagency.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.conceptagency\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187532; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Domain dacsandongthapmuoi.vn"; dns.query; content:"dacsandongthapmuoi.vn"; nocase; pcre: "/(^|[^A-Za-z0-9-])dacsandongthapmuoi\.vn$/i"; classtype:trojan-activity; sid:4187541; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Domain dacsandongthapmuoi.vn"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dacsandongthapmuoi.vn"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dacsandongthapmuoi\.vn[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187542; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Hostname pricoat.com.mx"; dns.query; content:"pricoat.com.mx"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])pricoat\.com\.mx$/i"; classtype:trojan-activity; sid:4187551; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Hostname pricoat.com.mx"; flow:to_server,established; http.header; content: "Host|3a| pricoat.com.mx"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])pricoat\.com\.mx[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187552; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Domain datie-tw.com"; dns.query; content:"datie-tw.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])datie\-tw\.com$/i"; classtype:trojan-activity; sid:4187561; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Domain datie-tw.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"datie-tw.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])datie\-tw\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187562; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Hostname talles.atwebpages.com"; dns.query; content:"talles.atwebpages.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])talles\.atwebpages\.com$/i"; classtype:trojan-activity; sid:4187571; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Hostname talles.atwebpages.com"; flow:to_server,established; http.header; content: "Host|3a| talles.atwebpages.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])talles\.atwebpages\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187572; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Domain annuncivendereairussi.it"; dns.query; content:"annuncivendereairussi.it"; nocase; pcre: "/(^|[^A-Za-z0-9-])annuncivendereairussi\.it$/i"; classtype:trojan-activity; sid:4187581; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Domain annuncivendereairussi.it"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"annuncivendereairussi.it"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])annuncivendereairussi\.it[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187582; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Hostname demo.cansunoto.com"; dns.query; content:"demo.cansunoto.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])demo\.cansunoto\.com$/i"; classtype:trojan-activity; sid:4187591; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Hostname demo.cansunoto.com"; flow:to_server,established; http.header; content: "Host|3a| demo.cansunoto.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])demo\.cansunoto\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187592; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Hostname dazzlecollections.co.za"; dns.query; content:"dazzlecollections.co.za"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dazzlecollections\.co\.za$/i"; classtype:trojan-activity; sid:4187601; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Hostname dazzlecollections.co.za"; flow:to_server,established; http.header; content: "Host|3a| dazzlecollections.co.za"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dazzlecollections\.co\.za[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187602; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Hostname www.daxberger.at"; dns.query; content:"www.daxberger.at"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.daxberger\.at$/i"; classtype:trojan-activity; sid:4187611; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Hostname www.daxberger.at"; flow:to_server,established; http.header; content: "Host|3a| www.daxberger.at"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.daxberger\.at[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187612; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Hostname mipa.uns.ac.id"; dns.query; content:"mipa.uns.ac.id"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mipa\.uns\.ac\.id$/i"; classtype:trojan-activity; sid:4187621; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Hostname mipa.uns.ac.id"; flow:to_server,established; http.header; content: "Host|3a| mipa.uns.ac.id"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mipa\.uns\.ac\.id[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187622; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Hostname controlnetworks.com.au"; dns.query; content:"controlnetworks.com.au"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])controlnetworks\.com\.au$/i"; classtype:trojan-activity; sid:4187631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Hostname controlnetworks.com.au"; flow:to_server,established; http.header; content: "Host|3a| controlnetworks.com.au"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])controlnetworks\.com\.au[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187632; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Hostname annunziato.com.br"; dns.query; content:"annunziato.com.br"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])annunziato\.com\.br$/i"; classtype:trojan-activity; sid:4187641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Hostname annunziato.com.br"; flow:to_server,established; http.header; content: "Host|3a| annunziato.com.br"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])annunziato\.com\.br[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187642; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Hostname chacaltattoo.com.br"; dns.query; content:"chacaltattoo.com.br"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])chacaltattoo\.com\.br$/i"; classtype:trojan-activity; sid:4187651; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Hostname chacaltattoo.com.br"; flow:to_server,established; http.header; content: "Host|3a| chacaltattoo.com.br"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])chacaltattoo\.com\.br[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187652; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Hostname www.lysarbopaysage.fr"; dns.query; content:"www.lysarbopaysage.fr"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.lysarbopaysage\.fr$/i"; classtype:trojan-activity; sid:4187661; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Hostname www.lysarbopaysage.fr"; flow:to_server,established; http.header; content: "Host|3a| www.lysarbopaysage.fr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.lysarbopaysage\.fr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187662; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Domain times.my"; dns.query; content:"times.my"; nocase; pcre: "/(^|[^A-Za-z0-9-])times\.my$/i"; classtype:trojan-activity; sid:4187671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Domain times.my"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"times.my"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])times\.my[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187672; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Domain aymanwahdan.at"; dns.query; content:"aymanwahdan.at"; nocase; pcre: "/(^|[^A-Za-z0-9-])aymanwahdan\.at$/i"; classtype:trojan-activity; sid:4187681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Domain aymanwahdan.at"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aymanwahdan.at"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aymanwahdan\.at[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187682; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Hostname amorecuidados.com.br"; dns.query; content:"amorecuidados.com.br"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])amorecuidados\.com\.br$/i"; classtype:trojan-activity; sid:4187691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Hostname amorecuidados.com.br"; flow:to_server,established; http.header; content: "Host|3a| amorecuidados.com.br"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])amorecuidados\.com\.br[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187692; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Hostname db.rikaz.tech"; dns.query; content:"db.rikaz.tech"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])db\.rikaz\.tech$/i"; classtype:trojan-activity; sid:4187701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Hostname db.rikaz.tech"; flow:to_server,established; http.header; content: "Host|3a| db.rikaz.tech"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])db\.rikaz\.tech[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187702; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Domain yjlianyi.top"; dns.query; content:"yjlianyi.top"; nocase; pcre: "/(^|[^A-Za-z0-9-])yjlianyi\.top$/i"; classtype:trojan-activity; sid:4187711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Domain yjlianyi.top"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"yjlianyi.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])yjlianyi\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187712; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Domain chist.com"; dns.query; content:"chist.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])chist\.com$/i"; classtype:trojan-activity; sid:4187721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Domain chist.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"chist.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])chist\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187722; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Hostname www.iam.ch"; dns.query; content:"www.iam.ch"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.iam\.ch$/i"; classtype:trojan-activity; sid:4187731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Hostname www.iam.ch"; flow:to_server,established; http.header; content: "Host|3a| www.iam.ch"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.iam\.ch[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187732; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Domain mecaprog.com"; dns.query; content:"mecaprog.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mecaprog\.com$/i"; classtype:trojan-activity; sid:4187741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Domain mecaprog.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mecaprog.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mecaprog\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187742; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Hostname cloudxml.com.br"; dns.query; content:"cloudxml.com.br"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cloudxml\.com\.br$/i"; classtype:trojan-activity; sid:4187751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Hostname cloudxml.com.br"; flow:to_server,established; http.header; content: "Host|3a| cloudxml.com.br"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cloudxml\.com\.br[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187752; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Hostname www.charmingsoftech.com"; dns.query; content:"www.charmingsoftech.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.charmingsoftech\.com$/i"; classtype:trojan-activity; sid:4187761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Hostname www.charmingsoftech.com"; flow:to_server,established; http.header; content: "Host|3a| www.charmingsoftech.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.charmingsoftech\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187762; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Domain bosny.com"; dns.query; content:"bosny.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bosny\.com$/i"; classtype:trojan-activity; sid:4187771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Domain bosny.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bosny.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bosny\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187772; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Domain retardantedefuegoperu.com"; dns.query; content:"retardantedefuegoperu.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])retardantedefuegoperu\.com$/i"; classtype:trojan-activity; sid:4187781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Domain retardantedefuegoperu.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"retardantedefuegoperu.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])retardantedefuegoperu\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187782; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Domain bytesendesign.nl"; dns.query; content:"bytesendesign.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])bytesendesign\.nl$/i"; classtype:trojan-activity; sid:4187791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Domain bytesendesign.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bytesendesign.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bytesendesign\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187792; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Hostname www.3d-stickers.com"; dns.query; content:"www.3d-stickers.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.3d\-stickers\.com$/i"; classtype:trojan-activity; sid:4187801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Hostname www.3d-stickers.com"; flow:to_server,established; http.header; content: "Host|3a| www.3d-stickers.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.3d\-stickers\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187802; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Domain demirelmarka.com"; dns.query; content:"demirelmarka.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])demirelmarka\.com$/i"; classtype:trojan-activity; sid:4187811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Domain demirelmarka.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"demirelmarka.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])demirelmarka\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187812; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Hostname www.angloextrema.com.br"; dns.query; content:"www.angloextrema.com.br"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.angloextrema\.com\.br$/i"; classtype:trojan-activity; sid:4187821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Hostname www.angloextrema.com.br"; flow:to_server,established; http.header; content: "Host|3a| www.angloextrema.com.br"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.angloextrema\.com\.br[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187822; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Hostname www.thebeginningstore.in"; dns.query; content:"www.thebeginningstore.in"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.thebeginningstore\.in$/i"; classtype:trojan-activity; sid:4187831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Hostname www.thebeginningstore.in"; flow:to_server,established; http.header; content: "Host|3a| www.thebeginningstore.in"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.thebeginningstore\.in[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187832; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Hostname www.careofu.com"; dns.query; content:"www.careofu.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.careofu\.com$/i"; classtype:trojan-activity; sid:4187841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Hostname www.careofu.com"; flow:to_server,established; http.header; content: "Host|3a| www.careofu.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.careofu\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187842; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Hostname royreid.co.uk"; dns.query; content:"royreid.co.uk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])royreid\.co\.uk$/i"; classtype:trojan-activity; sid:4187851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Hostname royreid.co.uk"; flow:to_server,established; http.header; content: "Host|3a| royreid.co.uk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])royreid\.co\.uk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187852; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Domain voinet.ca"; dns.query; content:"voinet.ca"; nocase; pcre: "/(^|[^A-Za-z0-9-])voinet\.ca$/i"; classtype:trojan-activity; sid:4187861; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Domain voinet.ca"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"voinet.ca"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])voinet\.ca[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187862; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Domain campusconindigital.org"; dns.query; content:"campusconindigital.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])campusconindigital\.org$/i"; classtype:trojan-activity; sid:4187871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Domain campusconindigital.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"campusconindigital.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])campusconindigital\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187872; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Domain blacksebo.de"; dns.query; content:"blacksebo.de"; nocase; pcre: "/(^|[^A-Za-z0-9-])blacksebo\.de$/i"; classtype:trojan-activity; sid:4187881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Domain blacksebo.de"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"blacksebo.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])blacksebo\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187882; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Domain barkstage.es"; dns.query; content:"barkstage.es"; nocase; pcre: "/(^|[^A-Za-z0-9-])barkstage\.es$/i"; classtype:trojan-activity; sid:4187891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Domain barkstage.es"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"barkstage.es"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])barkstage\.es[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187892; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Domain cheffsys.com"; dns.query; content:"cheffsys.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])cheffsys\.com$/i"; classtype:trojan-activity; sid:4187901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Domain cheffsys.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cheffsys.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cheffsys\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187902; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Domain contactworks.nl"; dns.query; content:"contactworks.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])contactworks\.nl$/i"; classtype:trojan-activity; sid:4187911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Domain contactworks.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"contactworks.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])contactworks\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187912; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Domain demarsoft.com"; dns.query; content:"demarsoft.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])demarsoft\.com$/i"; classtype:trojan-activity; sid:4187921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Domain demarsoft.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"demarsoft.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])demarsoft\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187922; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Domain aibwireless.com"; dns.query; content:"aibwireless.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])aibwireless\.com$/i"; classtype:trojan-activity; sid:4187931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Domain aibwireless.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aibwireless.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aibwireless\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187932; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Domain spinbalence.com"; dns.query; content:"spinbalence.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])spinbalence\.com$/i"; classtype:trojan-activity; sid:4187941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Domain spinbalence.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"spinbalence.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])spinbalence\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187942; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Domain ruitaiwz.com"; dns.query; content:"ruitaiwz.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ruitaiwz\.com$/i"; classtype:trojan-activity; sid:4187951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Domain ruitaiwz.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ruitaiwz.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ruitaiwz\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187952; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Hostname ly.yjlianyi.top"; dns.query; content:"ly.yjlianyi.top"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ly\.yjlianyi\.top$/i"; classtype:trojan-activity; sid:4187961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Hostname ly.yjlianyi.top"; flow:to_server,established; http.header; content: "Host|3a| ly.yjlianyi.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ly\.yjlianyi\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187962; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Domain wijsneusmedia.nl"; dns.query; content:"wijsneusmedia.nl"; nocase; pcre: "/(^|[^A-Za-z0-9-])wijsneusmedia\.nl$/i"; classtype:trojan-activity; sid:4187971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Domain wijsneusmedia.nl"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wijsneusmedia.nl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wijsneusmedia\.nl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187972; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Hostname aquariorecords.com.br"; dns.query; content:"aquariorecords.com.br"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])aquariorecords\.com\.br$/i"; classtype:trojan-activity; sid:4187981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Hostname aquariorecords.com.br"; flow:to_server,established; http.header; content: "Host|3a| aquariorecords.com.br"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])aquariorecords\.com\.br[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187982; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Domain alvaovillagecamping.pt"; dns.query; content:"alvaovillagecamping.pt"; nocase; pcre: "/(^|[^A-Za-z0-9-])alvaovillagecamping\.pt$/i"; classtype:trojan-activity; sid:4187991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Domain alvaovillagecamping.pt"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"alvaovillagecamping.pt"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])alvaovillagecamping\.pt[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4187992; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Hostname angel-tn.idv.tw"; dns.query; content:"angel-tn.idv.tw"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])angel\-tn\.idv\.tw$/i"; classtype:trojan-activity; sid:4188001; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Hostname angel-tn.idv.tw"; flow:to_server,established; http.header; content: "Host|3a| angel-tn.idv.tw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])angel\-tn\.idv\.tw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4188002; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Hostname a.angel-tn.idv.tw"; dns.query; content:"a.angel-tn.idv.tw"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])a\.angel\-tn\.idv\.tw$/i"; classtype:trojan-activity; sid:4188011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Hostname a.angel-tn.idv.tw"; flow:to_server,established; http.header; content: "Host|3a| a.angel-tn.idv.tw"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])a\.angel\-tn\.idv\.tw[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4188012; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Domain vourakilina.gr"; dns.query; content:"vourakilina.gr"; nocase; pcre: "/(^|[^A-Za-z0-9-])vourakilina\.gr$/i"; classtype:trojan-activity; sid:4188021; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Domain vourakilina.gr"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vourakilina.gr"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vourakilina\.gr[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4188022; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Domain sat7ate.com"; dns.query; content:"sat7ate.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sat7ate\.com$/i"; classtype:trojan-activity; sid:4188031; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Domain sat7ate.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sat7ate.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sat7ate\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4188032; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert dns any any -> any any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Domain aldina.jp"; dns.query; content:"aldina.jp"; nocase; pcre: "/(^|[^A-Za-z0-9-])aldina\.jp$/i"; classtype:trojan-activity; sid:4188041; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing HTTP Domain aldina.jp"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aldina.jp"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aldina\.jp[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4188042; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert ip $HOME_NET any -> 179.43.117.122 any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing To IP: 179.43.117.122"; classtype:trojan-activity; sid:4188051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert ip $HOME_NET any -> 163.172.108.69 any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing To IP: 163.172.108.69"; classtype:trojan-activity; sid:4188061; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert ip $HOME_NET any -> 88.212.202.52 any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing To IP: 88.212.202.52"; classtype:trojan-activity; sid:4188071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert ip $HOME_NET any -> 5.255.255.77 any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing To IP: 5.255.255.77"; classtype:trojan-activity; sid:4188081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert ip $HOME_NET any -> 11.23.33.44 any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing To IP: 11.23.33.44"; classtype:trojan-activity; sid:4188091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert ip $HOME_NET any -> 149.255.58.47 any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing To IP: 149.255.58.47"; classtype:trojan-activity; sid:4188101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert ip $HOME_NET any -> 185.182.57.100 any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing To IP: 185.182.57.100"; classtype:trojan-activity; sid:4188111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert ip $HOME_NET any -> 185.176.40.57 any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing To IP: 185.176.40.57"; classtype:trojan-activity; sid:4188121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert ip $HOME_NET any -> 217.64.195.223 any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing To IP: 217.64.195.223"; classtype:trojan-activity; sid:4188131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert ip $HOME_NET any -> 103.45.229.10 any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing To IP: 103.45.229.10"; classtype:trojan-activity; sid:4188141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert ip $HOME_NET any -> 203.204.237.108 any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing To IP: 203.204.237.108"; classtype:trojan-activity; sid:4188151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert ip $HOME_NET any -> 207.180.213.165 any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing To IP: 207.180.213.165"; classtype:trojan-activity; sid:4188161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert ip $HOME_NET any -> 5.255.255.70 any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing To IP: 5.255.255.70"; classtype:trojan-activity; sid:4188171; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert ip $HOME_NET any -> 81.68.152.197 any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing To IP: 81.68.152.197"; classtype:trojan-activity; sid:4188181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert ip $HOME_NET any -> 185.98.131.156 any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing To IP: 185.98.131.156"; classtype:trojan-activity; sid:4188191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert ip $HOME_NET any -> 185.176.43.106 any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing To IP: 185.176.43.106"; classtype:trojan-activity; sid:4188201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert ip $HOME_NET any -> 50.116.62.25 any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing To IP: 50.116.62.25"; classtype:trojan-activity; sid:4188211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert ip $HOME_NET any -> 167.172.253.162 any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing To IP: 167.172.253.162"; classtype:trojan-activity; sid:4188221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert ip $HOME_NET any -> 185.148.169.10 any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing To IP: 185.148.169.10"; classtype:trojan-activity; sid:4188231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert ip $HOME_NET any -> 149.56.131.28 any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing To IP: 149.56.131.28"; classtype:trojan-activity; sid:4188241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert ip $HOME_NET any -> 82.98.180.154 any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing To IP: 82.98.180.154"; classtype:trojan-activity; sid:4188251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert ip $HOME_NET any -> 103.41.204.169 any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing To IP: 103.41.204.169"; classtype:trojan-activity; sid:4188261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert ip $HOME_NET any -> 182.162.143.56 any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing To IP: 182.162.143.56"; classtype:trojan-activity; sid:4188271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert ip $HOME_NET any -> 91.187.140.35 any (msg: "MISP e347 [misp-galaxy:mitre-malware="Emotet - S0367",tlp:white] Outgoing To IP: 91.187.140.35"; classtype:trojan-activity; sid:4188281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/347;) alert ip $HOME_NET any -> 108.167.180.186 any (msg: "MISP e348 [misp-galaxy:mitre-intrusion-set="APT29 - G0016",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing To IP: 108.167.180.186"; classtype:trojan-activity; sid:4212441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/348;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e348 [misp-galaxy:mitre-intrusion-set="APT29 - G0016",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing URL https|3a|//literaturaelsalvador.com/Instructions.html"; tls.sni; content:"literaturaelsalvador.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4212451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/348;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e348 [misp-galaxy:mitre-intrusion-set="APT29 - G0016",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing URL https|3a|//literaturaelsalvador.com/Schedule.html"; tls.sni; content:"literaturaelsalvador.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4212461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/348;) alert dns any any -> any any (msg: "MISP e349 [misp-galaxy:mitre-intrusion-set="APT-C-36 - G0099",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Hostname dian.server.tl"; dns.query; content:"dian.server.tl"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dian\.server\.tl$/i"; classtype:trojan-activity; sid:4212771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/349;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e349 [misp-galaxy:mitre-intrusion-set="APT-C-36 - G0099",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Hostname dian.server.tl"; flow:to_server,established; http.header; content: "Host|3a| dian.server.tl"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dian\.server\.tl[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4212772; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/349;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e349 [misp-galaxy:mitre-intrusion-set="APT-C-36 - G0099",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing URL https|3a|//cdn.discordapp.com/attachments/1067819339090243727/1071063499494666240/Asuntos_DIAN_N34000137L287004P08899997012-03-02-2023-pdf.uue"; tls.sni; content:"cdn.discordapp.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4212781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/349;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e349 [misp-galaxy:mitre-intrusion-set="APT-C-36 - G0099",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing URL https|3a|//cdn.discordapp.com/attachments/1066009888083431506/1070342535702130759/Asuntos_DIAN_N6440005403992837L2088970004-01-02-2023-pdf.uue"; tls.sni; content:"cdn.discordapp.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4212791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/349;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e349 [misp-galaxy:mitre-intrusion-set="APT-C-36 - G0099",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing URL https|3a|//cdn.discordapp.com/attachments/1072851594812600351/1072851643583967272/Asuntos_DIAN_N3663000227L2870000002456880-08-02-2023-pdf.uue"; tls.sni; content:"cdn.discordapp.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4212801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/349;) alert http $HOME_NET any -> 172.174.176.153 $HTTP_PORTS (msg: "MISP e349 [misp-galaxy:mitre-intrusion-set="APT-C-36 - G0099",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing URL http|3a|//172.174.176.153/rump/Rump.xls"; flow:to_server,established; http.header; content:"172.174.176.153"; fast_pattern; nocase; http.uri; content:"/rump/Rump.xls"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4212841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/349;) alert dns any any -> any any (msg: "MISP e349 [misp-galaxy:mitre-intrusion-set="APT-C-36 - G0099",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Hostname asy1543.duckdns.org"; dns.query; content:"asy1543.duckdns.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])asy1543\.duckdns\.org$/i"; classtype:trojan-activity; sid:4212911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/349;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e349 [misp-galaxy:mitre-intrusion-set="APT-C-36 - G0099",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Hostname asy1543.duckdns.org"; flow:to_server,established; http.header; content: "Host|3a| asy1543.duckdns.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])asy1543\.duckdns\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4212912; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/349;) alert dns any any -> any any (msg: "MISP e349 [misp-galaxy:mitre-intrusion-set="APT-C-36 - G0099",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Hostname sy1543.duckdns.org"; dns.query; content:"sy1543.duckdns.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sy1543\.duckdns\.org$/i"; classtype:trojan-activity; sid:4212921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/349;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e349 [misp-galaxy:mitre-intrusion-set="APT-C-36 - G0099",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing HTTP Hostname sy1543.duckdns.org"; flow:to_server,established; http.header; content: "Host|3a| sy1543.duckdns.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sy1543\.duckdns\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4212922; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/349;) alert ip $HOME_NET any -> 46.246.86.3 any (msg: "MISP e349 [misp-galaxy:mitre-intrusion-set="APT-C-36 - G0099",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing To IP: 46.246.86.3"; classtype:trojan-activity; sid:4212931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/349;) alert ip $HOME_NET any -> 46.246.12.6 any (msg: "MISP e349 [misp-galaxy:mitre-intrusion-set="APT-C-36 - G0099",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing To IP: 46.246.12.6"; classtype:trojan-activity; sid:4212941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/349;) alert http $HOME_NET any -> 172.174.176.153 $HTTP_PORTS (msg: "MISP e349 [misp-galaxy:mitre-intrusion-set="APT-C-36 - G0099",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing URL http|3a|//172.174.176.153/"; flow:to_server,established; http.header; content:"172.174.176.153"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4212951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/349;) alert ip $HOME_NET any -> 172.174.176.153 any (msg: "MISP e349 [misp-galaxy:mitre-intrusion-set="APT-C-36 - G0099",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Phishing - T1566",tlp:white] Outgoing To IP: 172.174.176.153"; classtype:trojan-activity; sid:4212961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/349;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e350 [misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486",tlp:white] Outgoing URL http|3a|//iw6v2p3cruy7tqfup3yl4dgt4pfibfa3ai4zgnu5df2q3hus3lm7c7ad.onion/support"; flow:to_server,established; http.header; content:"iw6v2p3cruy7tqfup3yl4dgt4pfibfa3ai4zgnu5df2q3hus3lm7c7ad.onion"; fast_pattern; nocase; http.uri; content:"/support"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4213051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/350;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e351 [misp-galaxy:mitre-attack-pattern="Component Object Model - T1559.001",misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Portable Executable Injection - T1055.002",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047",tlp:white] Outgoing URL http|3a|//windowsupdates.shop/test.dotx"; flow:to_server,established; http.header; content:"windowsupdates.shop"; fast_pattern; nocase; http.uri; content:"/test.dotx"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4213101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/351;) alert ip $HOME_NET any -> 51.222.103.8 any (msg: "MISP e351 [misp-galaxy:mitre-attack-pattern="Component Object Model - T1559.001",misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Portable Executable Injection - T1055.002",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047",tlp:white] Outgoing To IP: 51.222.103.8"; classtype:trojan-activity; sid:4213131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/351;) alert dns any any -> any any (msg: "MISP e351 [misp-galaxy:mitre-attack-pattern="Component Object Model - T1559.001",misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Portable Executable Injection - T1055.002",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047",tlp:white] Hostname updates.win32.live"; dns.query; content:"updates.win32.live"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])updates\.win32\.live$/i"; classtype:trojan-activity; sid:4213241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/351;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e351 [misp-galaxy:mitre-attack-pattern="Component Object Model - T1559.001",misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Portable Executable Injection - T1055.002",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047",tlp:white] Outgoing HTTP Hostname updates.win32.live"; flow:to_server,established; http.header; content: "Host|3a| updates.win32.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])updates\.win32\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4213242; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/351;) alert ip $HOME_NET any -> 185.198.59.109 any (msg: "MISP e351 [misp-galaxy:mitre-attack-pattern="Component Object Model - T1559.001",misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",misp-galaxy:mitre-attack-pattern="Portable Executable Injection - T1055.002",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",misp-galaxy:mitre-attack-pattern="Process Injection - T1055",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005",misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047",tlp:white] Outgoing To IP: 185.198.59.109"; classtype:trojan-activity; sid:4213261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/351;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e352 [misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",tlp:white] Outgoing URL http|3a|//t.me/s/chanellsac"; flow:to_server,established; http.header; content:"t.me"; fast_pattern; nocase; http.uri; content:"/s/chanellsac"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4213321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/352;) alert ip $HOME_NET any -> 206.189.139.249 any (msg: "MISP e352 [misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",tlp:white] Outgoing To IP: 206.189.139.249"; classtype:trojan-activity; sid:4213331; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/352;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e352 [misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",tlp:white] Outgoing URL http|3a|//t.me/s/zapula2"; flow:to_server,established; http.header; content:"t.me"; fast_pattern; nocase; http.uri; content:"/s/zapula2"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4213341; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/352;) alert ip $HOME_NET any -> 104.248.36.191 any (msg: "MISP e352 [misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",tlp:white] Outgoing To IP: 104.248.36.191"; classtype:trojan-activity; sid:4213351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/352;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e352 [misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",tlp:white] Outgoing URL http|3a|//t.me/s/zalup2"; flow:to_server,established; http.header; content:"t.me"; fast_pattern; nocase; http.uri; content:"/s/zalup2"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4213361; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/352;) alert ip $HOME_NET any -> 140.82.29.65 any (msg: "MISP e352 [misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",tlp:white] Outgoing To IP: 140.82.29.65"; classtype:trojan-activity; sid:4213371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/352;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e352 [misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",tlp:white] Outgoing URL http|3a|//t.me/s/vozmoz2"; flow:to_server,established; http.header; content:"t.me"; fast_pattern; nocase; http.uri; content:"/s/vozmoz2"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4213381; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/352;) alert ip $HOME_NET any -> 159.89.31.49 any (msg: "MISP e352 [misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",tlp:white] Outgoing To IP: 159.89.31.49"; classtype:trojan-activity; sid:4213391; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/352;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e352 [misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",tlp:white] Outgoing URL http|3a|//t.me/s/digitli"; flow:to_server,established; http.header; content:"t.me"; fast_pattern; nocase; http.uri; content:"/s/digitli"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4213401; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/352;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e352 [misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",tlp:white] Outgoing URL http|3a|//t.me/s/dracarc"; flow:to_server,established; http.header; content:"t.me"; fast_pattern; nocase; http.uri; content:"/s/dracarc"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4213411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/352;) alert ip $HOME_NET any -> 164.92.234.195 any (msg: "MISP e352 [misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",tlp:white] Outgoing To IP: 164.92.234.195"; classtype:trojan-activity; sid:4213421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/352;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e352 [misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",tlp:white] Outgoing URL http|3a|//t.me/s/randomnulls"; flow:to_server,established; http.header; content:"t.me"; fast_pattern; nocase; http.uri; content:"/s/randomnulls"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4213431; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/352;) alert ip $HOME_NET any -> 68.183.3.178 any (msg: "MISP e352 [misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",tlp:white] Outgoing To IP: 68.183.3.178"; classtype:trojan-activity; sid:4213441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/352;) alert ip $HOME_NET any -> 45.77.229.159 any (msg: "MISP e352 [misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",tlp:white] Outgoing To IP: 45.77.229.159"; classtype:trojan-activity; sid:4213451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/352;) alert ip $HOME_NET any -> 64.227.1.3 any (msg: "MISP e352 [misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",tlp:white] Outgoing To IP: 64.227.1.3"; classtype:trojan-activity; sid:4213461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/352;) alert ip $HOME_NET any -> 64.227.7.134 any (msg: "MISP e352 [misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",tlp:white] Outgoing To IP: 64.227.7.134"; classtype:trojan-activity; sid:4213471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/352;) alert ip $HOME_NET any -> 84.32.128.41 any (msg: "MISP e352 [misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",tlp:white] Outgoing To IP: 84.32.128.41"; classtype:trojan-activity; sid:4213481; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/352;) alert ip $HOME_NET any -> 84.32.128.215 any (msg: "MISP e352 [misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",tlp:white] Outgoing To IP: 84.32.128.215"; classtype:trojan-activity; sid:4213491; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/352;) alert ip $HOME_NET any -> 104.131.39.154 any (msg: "MISP e352 [misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",tlp:white] Outgoing To IP: 104.131.39.154"; classtype:trojan-activity; sid:4213501; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/352;) alert ip $HOME_NET any -> 143.110.221.189 any (msg: "MISP e352 [misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",tlp:white] Outgoing To IP: 143.110.221.189"; classtype:trojan-activity; sid:4213511; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/352;) alert ip $HOME_NET any -> 157.230.223.20 any (msg: "MISP e352 [misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",tlp:white] Outgoing To IP: 157.230.223.20"; classtype:trojan-activity; sid:4213521; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/352;) alert ip $HOME_NET any -> 157.230.123.48 any (msg: "MISP e352 [misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",tlp:white] Outgoing To IP: 157.230.123.48"; classtype:trojan-activity; sid:4213531; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/352;) alert ip $HOME_NET any -> 158.247.199.37 any (msg: "MISP e352 [misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",tlp:white] Outgoing To IP: 158.247.199.37"; classtype:trojan-activity; sid:4213541; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/352;) alert ip $HOME_NET any -> 158.247.199.225 any (msg: "MISP e352 [misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",tlp:white] Outgoing To IP: 158.247.199.225"; classtype:trojan-activity; sid:4213551; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/352;) alert ip $HOME_NET any -> 165.22.7.242 any (msg: "MISP e352 [misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",tlp:white] Outgoing To IP: 165.22.7.242"; classtype:trojan-activity; sid:4213561; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/352;) alert ip $HOME_NET any -> 167.172.173.7 any (msg: "MISP e352 [misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",tlp:white] Outgoing To IP: 167.172.173.7"; classtype:trojan-activity; sid:4213571; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/352;) alert ip $HOME_NET any -> 170.64.152.42 any (msg: "MISP e352 [misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",tlp:white] Outgoing To IP: 170.64.152.42"; classtype:trojan-activity; sid:4213581; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/352;) alert ip $HOME_NET any -> 198.13.42.40 any (msg: "MISP e352 [misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",tlp:white] Outgoing To IP: 198.13.42.40"; classtype:trojan-activity; sid:4213591; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/352;) alert ip $HOME_NET any -> 206.189.143.206 any (msg: "MISP e352 [misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",tlp:white] Outgoing To IP: 206.189.143.206"; classtype:trojan-activity; sid:4213601; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/352;) alert ip $HOME_NET any -> 217.69.3.218 any (msg: "MISP e352 [misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",tlp:white] Outgoing To IP: 217.69.3.218"; classtype:trojan-activity; sid:4213611; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/352;) alert ip $HOME_NET any -> 164.92.126.130 any (msg: "MISP e352 [misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",tlp:white] Outgoing To IP: 164.92.126.130"; classtype:trojan-activity; sid:4213621; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/352;) alert ip $HOME_NET any -> 45.63.42.255 any (msg: "MISP e352 [misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",tlp:white] Outgoing To IP: 45.63.42.255"; classtype:trojan-activity; sid:4213631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/352;) alert ip $HOME_NET any -> 159.65.174.140 any (msg: "MISP e352 [misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047",tlp:white] Outgoing To IP: 159.65.174.140"; classtype:trojan-activity; sid:4213641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/352;) alert dns any any -> any any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Domain akamaicontainer.com"; dns.query; content:"akamaicontainer.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])akamaicontainer\.com$/i"; classtype:trojan-activity; sid:4213671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Outgoing HTTP Domain akamaicontainer.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"akamaicontainer.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])akamaicontainer\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4213672; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert dns any any -> any any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Domain akamaitechcloudservices.com"; dns.query; content:"akamaitechcloudservices.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])akamaitechcloudservices\.com$/i"; classtype:trojan-activity; sid:4213681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Outgoing HTTP Domain akamaitechcloudservices.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"akamaitechcloudservices.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])akamaitechcloudservices\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4213682; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert dns any any -> any any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Domain azuredeploystore.com"; dns.query; content:"azuredeploystore.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])azuredeploystore\.com$/i"; classtype:trojan-activity; sid:4213691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Outgoing HTTP Domain azuredeploystore.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"azuredeploystore.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])azuredeploystore\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4213692; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert dns any any -> any any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Domain azureonlinecloud.com"; dns.query; content:"azureonlinecloud.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])azureonlinecloud\.com$/i"; classtype:trojan-activity; sid:4213701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Outgoing HTTP Domain azureonlinecloud.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"azureonlinecloud.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])azureonlinecloud\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4213702; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert dns any any -> any any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Domain azureonlinestorage.com"; dns.query; content:"azureonlinestorage.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])azureonlinestorage\.com$/i"; classtype:trojan-activity; sid:4213711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Outgoing HTTP Domain azureonlinestorage.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"azureonlinestorage.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])azureonlinestorage\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4213712; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert dns any any -> any any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Domain dunamistrd.com"; dns.query; content:"dunamistrd.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])dunamistrd\.com$/i"; classtype:trojan-activity; sid:4213721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Outgoing HTTP Domain dunamistrd.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dunamistrd.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dunamistrd\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4213722; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert dns any any -> any any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Domain glcloudservice.com"; dns.query; content:"glcloudservice.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])glcloudservice\.com$/i"; classtype:trojan-activity; sid:4213731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Outgoing HTTP Domain glcloudservice.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"glcloudservice.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])glcloudservice\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4213732; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert dns any any -> any any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Domain journalide.org"; dns.query; content:"journalide.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])journalide\.org$/i"; classtype:trojan-activity; sid:4213741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Outgoing HTTP Domain journalide.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"journalide.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])journalide\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4213742; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert dns any any -> any any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Domain msedgepackageinfo.com"; dns.query; content:"msedgepackageinfo.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])msedgepackageinfo\.com$/i"; classtype:trojan-activity; sid:4213751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Outgoing HTTP Domain msedgepackageinfo.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"msedgepackageinfo.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])msedgepackageinfo\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4213752; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert dns any any -> any any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Domain msstorageazure.com"; dns.query; content:"msstorageazure.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])msstorageazure\.com$/i"; classtype:trojan-activity; sid:4213761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Outgoing HTTP Domain msstorageazure.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"msstorageazure.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])msstorageazure\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4213762; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert dns any any -> any any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Domain msstorageboxes.com"; dns.query; content:"msstorageboxes.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])msstorageboxes\.com$/i"; classtype:trojan-activity; sid:4213771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Outgoing HTTP Domain msstorageboxes.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"msstorageboxes.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])msstorageboxes\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4213772; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert dns any any -> any any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Domain officeaddons.com"; dns.query; content:"officeaddons.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])officeaddons\.com$/i"; classtype:trojan-activity; sid:4213781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Outgoing HTTP Domain officeaddons.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"officeaddons.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])officeaddons\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4213782; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert dns any any -> any any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Domain officestoragebox.com"; dns.query; content:"officestoragebox.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])officestoragebox\.com$/i"; classtype:trojan-activity; sid:4213791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Outgoing HTTP Domain officestoragebox.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"officestoragebox.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])officestoragebox\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4213792; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert dns any any -> any any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Domain pbxcloudeservices.com"; dns.query; content:"pbxcloudeservices.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pbxcloudeservices\.com$/i"; classtype:trojan-activity; sid:4213801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Outgoing HTTP Domain pbxcloudeservices.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pbxcloudeservices.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pbxcloudeservices\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4213802; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert dns any any -> any any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Domain pbxphonenetwork.com"; dns.query; content:"pbxphonenetwork.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pbxphonenetwork\.com$/i"; classtype:trojan-activity; sid:4213811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Outgoing HTTP Domain pbxphonenetwork.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pbxphonenetwork.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pbxphonenetwork\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4213812; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert dns any any -> any any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Domain pbxsources.com"; dns.query; content:"pbxsources.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pbxsources\.com$/i"; classtype:trojan-activity; sid:4213821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Outgoing HTTP Domain pbxsources.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pbxsources.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pbxsources\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4213822; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert dns any any -> any any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Domain qwepoi123098.com"; dns.query; content:"qwepoi123098.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])qwepoi123098\.com$/i"; classtype:trojan-activity; sid:4213831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Outgoing HTTP Domain qwepoi123098.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"qwepoi123098.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])qwepoi123098\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4213832; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert dns any any -> any any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Domain sbmsa.wiki"; dns.query; content:"sbmsa.wiki"; nocase; pcre: "/(^|[^A-Za-z0-9-])sbmsa\.wiki$/i"; classtype:trojan-activity; sid:4213841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Outgoing HTTP Domain sbmsa.wiki"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sbmsa.wiki"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sbmsa\.wiki[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4213842; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert dns any any -> any any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Domain sourceslabs.com"; dns.query; content:"sourceslabs.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sourceslabs\.com$/i"; classtype:trojan-activity; sid:4213851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Outgoing HTTP Domain sourceslabs.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sourceslabs.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sourceslabs\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4213852; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert dns any any -> any any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Domain visualstudiofactory.com"; dns.query; content:"visualstudiofactory.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])visualstudiofactory\.com$/i"; classtype:trojan-activity; sid:4213861; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Outgoing HTTP Domain visualstudiofactory.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"visualstudiofactory.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])visualstudiofactory\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4213862; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert dns any any -> any any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Domain zacharryblogs.com"; dns.query; content:"zacharryblogs.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])zacharryblogs\.com$/i"; classtype:trojan-activity; sid:4213871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e353 [tlp:white,misp-galaxy:threat-actor="Lazarus Group"] Outgoing HTTP Domain zacharryblogs.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"zacharryblogs.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])zacharryblogs\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4213872; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/353;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain fosterunch.com"; dns.query; content:"fosterunch.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])fosterunch\.com$/i"; classtype:trojan-activity; sid:4215461; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain fosterunch.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fosterunch.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fosterunch\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215462; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain womnbling.com"; dns.query; content:"womnbling.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])womnbling\.com$/i"; classtype:trojan-activity; sid:4215471; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain womnbling.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"womnbling.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])womnbling\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215472; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain zebra-arts.com"; dns.query; content:"zebra-arts.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])zebra\-arts\.com$/i"; classtype:trojan-activity; sid:4215481; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain zebra-arts.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"zebra-arts.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])zebra\-arts\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215482; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain pennywines.com"; dns.query; content:"pennywines.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pennywines\.com$/i"; classtype:trojan-activity; sid:4215491; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain pennywines.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pennywines.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pennywines\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215492; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain choccoline.com"; dns.query; content:"choccoline.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])choccoline\.com$/i"; classtype:trojan-activity; sid:4215501; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain choccoline.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"choccoline.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])choccoline\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215502; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain lateparties.com"; dns.query; content:"lateparties.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])lateparties\.com$/i"; classtype:trojan-activity; sid:4215511; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain lateparties.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lateparties.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lateparties\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215512; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain foundurycolletive.com"; dns.query; content:"foundurycolletive.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])foundurycolletive\.com$/i"; classtype:trojan-activity; sid:4215521; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain foundurycolletive.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"foundurycolletive.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])foundurycolletive\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215522; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain jungelfruitime.com"; dns.query; content:"jungelfruitime.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])jungelfruitime\.com$/i"; classtype:trojan-activity; sid:4215531; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain jungelfruitime.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jungelfruitime.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jungelfruitime\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215532; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain gameboysess.com"; dns.query; content:"gameboysess.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])gameboysess\.com$/i"; classtype:trojan-activity; sid:4215541; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain gameboysess.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gameboysess.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gameboysess\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215542; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain healthcovid19.com"; dns.query; content:"healthcovid19.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])healthcovid19\.com$/i"; classtype:trojan-activity; sid:4215551; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain healthcovid19.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"healthcovid19.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])healthcovid19\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215552; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain codingstudies.com"; dns.query; content:"codingstudies.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])codingstudies\.com$/i"; classtype:trojan-activity; sid:4215561; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain codingstudies.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"codingstudies.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])codingstudies\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215562; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain hoteluxurysm.com"; dns.query; content:"hoteluxurysm.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])hoteluxurysm\.com$/i"; classtype:trojan-activity; sid:4215571; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain hoteluxurysm.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hoteluxurysm.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hoteluxurysm\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215572; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain newz-globe.com"; dns.query; content:"newz-globe.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])newz\-globe\.com$/i"; classtype:trojan-activity; sid:4215581; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain newz-globe.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"newz-globe.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])newz\-globe\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215582; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain hotalsextra.com"; dns.query; content:"hotalsextra.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])hotalsextra\.com$/i"; classtype:trojan-activity; sid:4215591; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain hotalsextra.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hotalsextra.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hotalsextra\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215592; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain nordmanetime.com"; dns.query; content:"nordmanetime.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])nordmanetime\.com$/i"; classtype:trojan-activity; sid:4215601; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain nordmanetime.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nordmanetime.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nordmanetime\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215602; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain fullaniimal.com"; dns.query; content:"fullaniimal.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])fullaniimal\.com$/i"; classtype:trojan-activity; sid:4215611; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain fullaniimal.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fullaniimal.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fullaniimal\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215612; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain wikipedoptions.com"; dns.query; content:"wikipedoptions.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])wikipedoptions\.com$/i"; classtype:trojan-activity; sid:4215621; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain wikipedoptions.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wikipedoptions.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wikipedoptions\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215622; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain redanddred.com"; dns.query; content:"redanddred.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])redanddred\.com$/i"; classtype:trojan-activity; sid:4215631; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain redanddred.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"redanddred.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])redanddred\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215632; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain whiteandpiink.com"; dns.query; content:"whiteandpiink.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])whiteandpiink\.com$/i"; classtype:trojan-activity; sid:4215641; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain whiteandpiink.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"whiteandpiink.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])whiteandpiink\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215642; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain agronomsdoc.com"; dns.query; content:"agronomsdoc.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])agronomsdoc\.com$/i"; classtype:trojan-activity; sid:4215651; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain agronomsdoc.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"agronomsdoc.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])agronomsdoc\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215652; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain nutureheus.com"; dns.query; content:"nutureheus.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])nutureheus\.com$/i"; classtype:trojan-activity; sid:4215661; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain nutureheus.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nutureheus.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nutureheus\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215662; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain timeeforsports.com"; dns.query; content:"timeeforsports.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])timeeforsports\.com$/i"; classtype:trojan-activity; sid:4215671; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain timeeforsports.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"timeeforsports.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])timeeforsports\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215672; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain treerroots.com"; dns.query; content:"treerroots.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])treerroots\.com$/i"; classtype:trojan-activity; sid:4215681; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain treerroots.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"treerroots.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])treerroots\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215682; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain unitedyears.com"; dns.query; content:"unitedyears.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])unitedyears\.com$/i"; classtype:trojan-activity; sid:4215691; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain unitedyears.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"unitedyears.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])unitedyears\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215692; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain eccocredit.com"; dns.query; content:"eccocredit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])eccocredit\.com$/i"; classtype:trojan-activity; sid:4215701; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain eccocredit.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"eccocredit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])eccocredit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215702; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain ecologitics.com"; dns.query; content:"ecologitics.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ecologitics\.com$/i"; classtype:trojan-activity; sid:4215711; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain ecologitics.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ecologitics.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ecologitics\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215712; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain climatestews.com"; dns.query; content:"climatestews.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])climatestews\.com$/i"; classtype:trojan-activity; sid:4215721; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain climatestews.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"climatestews.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])climatestews\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215722; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain aqualizas.com"; dns.query; content:"aqualizas.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])aqualizas\.com$/i"; classtype:trojan-activity; sid:4215731; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain aqualizas.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aqualizas.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aqualizas\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215732; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain bgnews-bg.com"; dns.query; content:"bgnews-bg.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bgnews\-bg\.com$/i"; classtype:trojan-activity; sid:4215741; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain bgnews-bg.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bgnews-bg.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bgnews\-bg\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215742; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain mikontravels.com"; dns.query; content:"mikontravels.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mikontravels\.com$/i"; classtype:trojan-activity; sid:4215751; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain mikontravels.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mikontravels.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mikontravels\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215752; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain e-gaming.online"; dns.query; content:"e-gaming.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])e\-gaming\.online$/i"; classtype:trojan-activity; sid:4215761; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain e-gaming.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"e-gaming.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])e\-gaming\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215762; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain transformaition.com"; dns.query; content:"transformaition.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])transformaition\.com$/i"; classtype:trojan-activity; sid:4215771; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain transformaition.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"transformaition.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])transformaition\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215772; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain betterstime.com"; dns.query; content:"betterstime.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])betterstime\.com$/i"; classtype:trojan-activity; sid:4215781; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain betterstime.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"betterstime.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])betterstime\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215782; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain goshopeerz.com"; dns.query; content:"goshopeerz.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])goshopeerz\.com$/i"; classtype:trojan-activity; sid:4215791; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain goshopeerz.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"goshopeerz.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])goshopeerz\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215792; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain countshops.com"; dns.query; content:"countshops.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])countshops\.com$/i"; classtype:trojan-activity; sid:4215801; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain countshops.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"countshops.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])countshops\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215802; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain inneture.com"; dns.query; content:"inneture.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])inneture\.com$/i"; classtype:trojan-activity; sid:4215811; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain inneture.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"inneture.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])inneture\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215812; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain shoppingeos.com"; dns.query; content:"shoppingeos.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])shoppingeos\.com$/i"; classtype:trojan-activity; sid:4215821; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain shoppingeos.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"shoppingeos.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])shoppingeos\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215822; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain mwww.ro"; dns.query; content:"mwww.ro"; nocase; pcre: "/(^|[^A-Za-z0-9-])mwww\.ro$/i"; classtype:trojan-activity; sid:4215831; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain mwww.ro"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mwww.ro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mwww\.ro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215832; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain rentalproct.com"; dns.query; content:"rentalproct.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])rentalproct\.com$/i"; classtype:trojan-activity; sid:4215841; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain rentalproct.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"rentalproct.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])rentalproct\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215842; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain bcarental.com"; dns.query; content:"bcarental.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bcarental\.com$/i"; classtype:trojan-activity; sid:4215851; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain bcarental.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bcarental.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bcarental\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215852; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain kikocruize.com"; dns.query; content:"kikocruize.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])kikocruize\.com$/i"; classtype:trojan-activity; sid:4215861; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain kikocruize.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kikocruize.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kikocruize\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215862; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain elvacream.com"; dns.query; content:"elvacream.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])elvacream\.com$/i"; classtype:trojan-activity; sid:4215871; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain elvacream.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"elvacream.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])elvacream\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215872; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain pachadesert.com"; dns.query; content:"pachadesert.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pachadesert\.com$/i"; classtype:trojan-activity; sid:4215881; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain pachadesert.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pachadesert.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pachadesert\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215882; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain razzodev.com"; dns.query; content:"razzodev.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])razzodev\.com$/i"; classtype:trojan-activity; sid:4215891; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain razzodev.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"razzodev.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])razzodev\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215892; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain wombatcash.com"; dns.query; content:"wombatcash.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])wombatcash\.com$/i"; classtype:trojan-activity; sid:4215901; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain wombatcash.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wombatcash.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wombatcash\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215902; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain globepayinfo.com"; dns.query; content:"globepayinfo.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])globepayinfo\.com$/i"; classtype:trojan-activity; sid:4215911; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain globepayinfo.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"globepayinfo.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])globepayinfo\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215912; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain job4uhunt.com"; dns.query; content:"job4uhunt.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])job4uhunt\.com$/i"; classtype:trojan-activity; sid:4215921; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain job4uhunt.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"job4uhunt.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])job4uhunt\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215922; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain ctbgameson.com"; dns.query; content:"ctbgameson.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ctbgameson\.com$/i"; classtype:trojan-activity; sid:4215931; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain ctbgameson.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ctbgameson.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ctbgameson\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215932; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain adeptary.com"; dns.query; content:"adeptary.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])adeptary\.com$/i"; classtype:trojan-activity; sid:4215941; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain adeptary.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"adeptary.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])adeptary\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215942; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain hinterfy.com"; dns.query; content:"hinterfy.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])hinterfy\.com$/i"; classtype:trojan-activity; sid:4215951; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain hinterfy.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hinterfy.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hinterfy\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215952; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain biznomex.com"; dns.query; content:"biznomex.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])biznomex\.com$/i"; classtype:trojan-activity; sid:4215961; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain biznomex.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"biznomex.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])biznomex\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215962; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain careerhub4u.com"; dns.query; content:"careerhub4u.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])careerhub4u\.com$/i"; classtype:trojan-activity; sid:4215971; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain careerhub4u.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"careerhub4u.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])careerhub4u\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215972; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain furiamoc.com"; dns.query; content:"furiamoc.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])furiamoc\.com$/i"; classtype:trojan-activity; sid:4215981; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain furiamoc.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"furiamoc.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])furiamoc\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215982; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain motorgamings.com"; dns.query; content:"motorgamings.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])motorgamings\.com$/i"; classtype:trojan-activity; sid:4215991; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain motorgamings.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"motorgamings.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])motorgamings\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4215992; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain aniarchit.com"; dns.query; content:"aniarchit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])aniarchit\.com$/i"; classtype:trojan-activity; sid:4216001; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain aniarchit.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aniarchit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aniarchit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216002; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain skyphotogreen.com"; dns.query; content:"skyphotogreen.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])skyphotogreen\.com$/i"; classtype:trojan-activity; sid:4216011; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain skyphotogreen.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"skyphotogreen.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])skyphotogreen\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216012; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain datacentertime.com"; dns.query; content:"datacentertime.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])datacentertime\.com$/i"; classtype:trojan-activity; sid:4216021; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain datacentertime.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"datacentertime.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])datacentertime\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216022; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain stylelifees.com"; dns.query; content:"stylelifees.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])stylelifees\.com$/i"; classtype:trojan-activity; sid:4216031; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain stylelifees.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"stylelifees.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])stylelifees\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216032; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain kidzlande.com"; dns.query; content:"kidzlande.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])kidzlande\.com$/i"; classtype:trojan-activity; sid:4216041; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain kidzlande.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kidzlande.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kidzlande\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216042; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain homelosite.com"; dns.query; content:"homelosite.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])homelosite\.com$/i"; classtype:trojan-activity; sid:4216051; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain homelosite.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"homelosite.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])homelosite\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216052; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain zooloow.com"; dns.query; content:"zooloow.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])zooloow\.com$/i"; classtype:trojan-activity; sid:4216061; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain zooloow.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"zooloow.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])zooloow\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216062; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain studiesutshifts.com"; dns.query; content:"studiesutshifts.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])studiesutshifts\.com$/i"; classtype:trojan-activity; sid:4216071; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain studiesutshifts.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"studiesutshifts.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])studiesutshifts\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216072; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain londonistory.com"; dns.query; content:"londonistory.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])londonistory\.com$/i"; classtype:trojan-activity; sid:4216081; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain londonistory.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"londonistory.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])londonistory\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216082; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain bestteamlife.com"; dns.query; content:"bestteamlife.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bestteamlife\.com$/i"; classtype:trojan-activity; sid:4216091; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain bestteamlife.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bestteamlife.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bestteamlife\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216092; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain newsandlocalupdates.com"; dns.query; content:"newsandlocalupdates.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])newsandlocalupdates\.com$/i"; classtype:trojan-activity; sid:4216101; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain newsandlocalupdates.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"newsandlocalupdates.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])newsandlocalupdates\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216102; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain youristores.com"; dns.query; content:"youristores.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])youristores\.com$/i"; classtype:trojan-activity; sid:4216111; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain youristores.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"youristores.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])youristores\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216112; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain gardenearthis.com"; dns.query; content:"gardenearthis.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])gardenearthis\.com$/i"; classtype:trojan-activity; sid:4216121; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain gardenearthis.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gardenearthis.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gardenearthis\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216122; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain fullstorelife.com"; dns.query; content:"fullstorelife.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])fullstorelife\.com$/i"; classtype:trojan-activity; sid:4216131; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain fullstorelife.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fullstorelife.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fullstorelife\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216132; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain incollegely.org"; dns.query; content:"incollegely.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])incollegely\.org$/i"; classtype:trojan-activity; sid:4216141; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain incollegely.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"incollegely.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])incollegely\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216142; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain shoplifys.com"; dns.query; content:"shoplifys.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])shoplifys\.com$/i"; classtype:trojan-activity; sid:4216151; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain shoplifys.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"shoplifys.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])shoplifys\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216152; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain thetimespress.com"; dns.query; content:"thetimespress.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])thetimespress\.com$/i"; classtype:trojan-activity; sid:4216161; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain thetimespress.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"thetimespress.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])thetimespress\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216162; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain studyshifts.com"; dns.query; content:"studyshifts.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])studyshifts\.com$/i"; classtype:trojan-activity; sid:4216171; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain studyshifts.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"studyshifts.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])studyshifts\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216172; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain codinerom.com"; dns.query; content:"codinerom.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])codinerom\.com$/i"; classtype:trojan-activity; sid:4216181; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain codinerom.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"codinerom.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])codinerom\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216182; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain gamingcolonys.com"; dns.query; content:"gamingcolonys.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])gamingcolonys\.com$/i"; classtype:trojan-activity; sid:4216191; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain gamingcolonys.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gamingcolonys.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gamingcolonys\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216192; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain kidzalnd.org"; dns.query; content:"kidzalnd.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])kidzalnd\.org$/i"; classtype:trojan-activity; sid:4216201; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain kidzalnd.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kidzalnd.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kidzalnd\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216202; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain wildhour.store"; dns.query; content:"wildhour.store"; nocase; pcre: "/(^|[^A-Za-z0-9-])wildhour\.store$/i"; classtype:trojan-activity; sid:4216211; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain wildhour.store"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wildhour.store"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wildhour\.store[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216212; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain wilddog.site"; dns.query; content:"wilddog.site"; nocase; pcre: "/(^|[^A-Za-z0-9-])wilddog\.site$/i"; classtype:trojan-activity; sid:4216221; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain wilddog.site"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wilddog.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wilddog\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216222; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain garilc.com"; dns.query; content:"garilc.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])garilc\.com$/i"; classtype:trojan-activity; sid:4216231; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain garilc.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"garilc.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])garilc\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216232; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain runningandbeyond.org"; dns.query; content:"runningandbeyond.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])runningandbeyond\.org$/i"; classtype:trojan-activity; sid:4216241; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain runningandbeyond.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"runningandbeyond.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])runningandbeyond\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216242; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain fullmoongreyparty.org"; dns.query; content:"fullmoongreyparty.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])fullmoongreyparty\.org$/i"; classtype:trojan-activity; sid:4216251; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain fullmoongreyparty.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fullmoongreyparty.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fullmoongreyparty\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216252; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain greenrunners.org"; dns.query; content:"greenrunners.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])greenrunners\.org$/i"; classtype:trojan-activity; sid:4216261; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain greenrunners.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"greenrunners.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])greenrunners\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216262; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain sunsandlights.com"; dns.query; content:"sunsandlights.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sunsandlights\.com$/i"; classtype:trojan-activity; sid:4216271; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain sunsandlights.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sunsandlights.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sunsandlights\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216272; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain techpowerlight.com"; dns.query; content:"techpowerlight.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])techpowerlight\.com$/i"; classtype:trojan-activity; sid:4216281; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain techpowerlight.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"techpowerlight.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])techpowerlight\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216282; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain gamezess.com"; dns.query; content:"gamezess.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])gamezess\.com$/i"; classtype:trojan-activity; sid:4216291; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain gamezess.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gamezess.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gamezess\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216292; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain planningly.org"; dns.query; content:"planningly.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])planningly\.org$/i"; classtype:trojan-activity; sid:4216301; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain planningly.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"planningly.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])planningly\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216302; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain luxario.org"; dns.query; content:"luxario.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])luxario\.org$/i"; classtype:trojan-activity; sid:4216311; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain luxario.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"luxario.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])luxario\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216312; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain vinoneros.com"; dns.query; content:"vinoneros.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])vinoneros\.com$/i"; classtype:trojan-activity; sid:4216321; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain vinoneros.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vinoneros.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vinoneros\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216322; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain i-reality.online"; dns.query; content:"i-reality.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])i\-reality\.online$/i"; classtype:trojan-activity; sid:4216331; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain i-reality.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"i-reality.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])i\-reality\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216332; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain styleanature.com"; dns.query; content:"styleanature.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])styleanature\.com$/i"; classtype:trojan-activity; sid:4216341; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain styleanature.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"styleanature.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])styleanature\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216342; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain planetosgame.com"; dns.query; content:"planetosgame.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])planetosgame\.com$/i"; classtype:trojan-activity; sid:4216351; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain planetosgame.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"planetosgame.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])planetosgame\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216352; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain kidsfunland.org"; dns.query; content:"kidsfunland.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])kidsfunland\.org$/i"; classtype:trojan-activity; sid:4216361; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain kidsfunland.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kidsfunland.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kidsfunland\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216362; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain localtallk.store"; dns.query; content:"localtallk.store"; nocase; pcre: "/(^|[^A-Za-z0-9-])localtallk\.store$/i"; classtype:trojan-activity; sid:4216371; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain localtallk.store"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"localtallk.store"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])localtallk\.store[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216372; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain allplaces.online"; dns.query; content:"allplaces.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])allplaces\.online$/i"; classtype:trojan-activity; sid:4216381; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain allplaces.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"allplaces.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])allplaces\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216382; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain sunclub.site"; dns.query; content:"sunclub.site"; nocase; pcre: "/(^|[^A-Za-z0-9-])sunclub\.site$/i"; classtype:trojan-activity; sid:4216391; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain sunclub.site"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sunclub.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sunclub\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216392; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain thenewsfill.com"; dns.query; content:"thenewsfill.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])thenewsfill\.com$/i"; classtype:trojan-activity; sid:4216401; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain thenewsfill.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"thenewsfill.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])thenewsfill\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216402; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain wellnessjane.org"; dns.query; content:"wellnessjane.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])wellnessjane\.org$/i"; classtype:trojan-activity; sid:4216411; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain wellnessjane.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wellnessjane.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wellnessjane\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216412; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain meehealth.org"; dns.query; content:"meehealth.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])meehealth\.org$/i"; classtype:trojan-activity; sid:4216421; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain meehealth.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"meehealth.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])meehealth\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216422; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain gameizes.com"; dns.query; content:"gameizes.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])gameizes\.com$/i"; classtype:trojan-activity; sid:4216431; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain gameizes.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gameizes.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gameizes\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216432; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain playozas.com"; dns.query; content:"playozas.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])playozas\.com$/i"; classtype:trojan-activity; sid:4216441; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain playozas.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"playozas.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])playozas\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216442; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain foodyplates.com"; dns.query; content:"foodyplates.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])foodyplates\.com$/i"; classtype:trojan-activity; sid:4216451; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain foodyplates.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"foodyplates.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])foodyplates\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216452; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain designaroo.org"; dns.query; content:"designaroo.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])designaroo\.org$/i"; classtype:trojan-activity; sid:4216461; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain designaroo.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"designaroo.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])designaroo\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216462; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain designspacing.org"; dns.query; content:"designspacing.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])designspacing\.org$/i"; classtype:trojan-activity; sid:4216471; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain designspacing.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"designspacing.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])designspacing\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216472; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain stockstiming.org"; dns.query; content:"stockstiming.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])stockstiming\.org$/i"; classtype:trojan-activity; sid:4216481; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain stockstiming.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"stockstiming.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])stockstiming\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216482; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain hoteliqo.com"; dns.query; content:"hoteliqo.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])hoteliqo\.com$/i"; classtype:trojan-activity; sid:4216491; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain hoteliqo.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hoteliqo.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hoteliqo\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216492; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain projectoid.org"; dns.query; content:"projectoid.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])projectoid\.org$/i"; classtype:trojan-activity; sid:4216501; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain projectoid.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"projectoid.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])projectoid\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216502; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain study-search.com"; dns.query; content:"study-search.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])study\-search\.com$/i"; classtype:trojan-activity; sid:4216511; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain study-search.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"study-search.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])study\-search\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216512; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain tokenberries.com"; dns.query; content:"tokenberries.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])tokenberries\.com$/i"; classtype:trojan-activity; sid:4216521; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain tokenberries.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tokenberries.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tokenberries\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216522; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain recovery-plan.org"; dns.query; content:"recovery-plan.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])recovery\-plan\.org$/i"; classtype:trojan-activity; sid:4216531; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain recovery-plan.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"recovery-plan.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])recovery\-plan\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216532; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain deliverystorz.com"; dns.query; content:"deliverystorz.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])deliverystorz\.com$/i"; classtype:trojan-activity; sid:4216541; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain deliverystorz.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"deliverystorz.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])deliverystorz\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216542; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain forestaaa.com"; dns.query; content:"forestaaa.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])forestaaa\.com$/i"; classtype:trojan-activity; sid:4216551; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain forestaaa.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"forestaaa.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])forestaaa\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216552; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain addictmetui.com"; dns.query; content:"addictmetui.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])addictmetui\.com$/i"; classtype:trojan-activity; sid:4216561; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain addictmetui.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"addictmetui.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])addictmetui\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216562; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain earthyouwantiis.com"; dns.query; content:"earthyouwantiis.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])earthyouwantiis\.com$/i"; classtype:trojan-activity; sid:4216571; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain earthyouwantiis.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"earthyouwantiis.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])earthyouwantiis\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216572; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain zedforme.com"; dns.query; content:"zedforme.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])zedforme\.com$/i"; classtype:trojan-activity; sid:4216581; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain zedforme.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"zedforme.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])zedforme\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216582; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain navadatime.com"; dns.query; content:"navadatime.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])navadatime\.com$/i"; classtype:trojan-activity; sid:4216591; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain navadatime.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"navadatime.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])navadatime\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216592; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain careers4ad.com"; dns.query; content:"careers4ad.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])careers4ad\.com$/i"; classtype:trojan-activity; sid:4216601; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain careers4ad.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"careers4ad.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])careers4ad\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216602; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain studyreaserch.com"; dns.query; content:"studyreaserch.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])studyreaserch\.com$/i"; classtype:trojan-activity; sid:4216611; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain studyreaserch.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"studyreaserch.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])studyreaserch\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216612; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain novinite.biz"; dns.query; content:"novinite.biz"; nocase; pcre: "/(^|[^A-Za-z0-9-])novinite\.biz$/i"; classtype:trojan-activity; sid:4216621; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain novinite.biz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"novinite.biz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])novinite\.biz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216622; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain dressuse.com"; dns.query; content:"dressuse.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])dressuse\.com$/i"; classtype:trojan-activity; sid:4216631; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain dressuse.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dressuse.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dressuse\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216632; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain iwoodstor.xyz"; dns.query; content:"iwoodstor.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])iwoodstor\.xyz$/i"; classtype:trojan-activity; sid:4216641; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain iwoodstor.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"iwoodstor.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])iwoodstor\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216642; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain teachlearning.org"; dns.query; content:"teachlearning.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])teachlearning\.org$/i"; classtype:trojan-activity; sid:4216651; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain teachlearning.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"teachlearning.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])teachlearning\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216652; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain subcloud.online"; dns.query; content:"subcloud.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])subcloud\.online$/i"; classtype:trojan-activity; sid:4216661; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain subcloud.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"subcloud.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])subcloud\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216662; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain monvesting.com"; dns.query; content:"monvesting.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])monvesting\.com$/i"; classtype:trojan-activity; sid:4216671; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain monvesting.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"monvesting.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])monvesting\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216672; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain elektrozi.com"; dns.query; content:"elektrozi.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])elektrozi\.com$/i"; classtype:trojan-activity; sid:4216681; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain elektrozi.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"elektrozi.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])elektrozi\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216682; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain hopsite.online"; dns.query; content:"hopsite.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])hopsite\.online$/i"; classtype:trojan-activity; sid:4216691; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain hopsite.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hopsite.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hopsite\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216692; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain bikersrental.com"; dns.query; content:"bikersrental.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bikersrental\.com$/i"; classtype:trojan-activity; sid:4216701; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain bikersrental.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bikersrental.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bikersrental\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216702; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain takestox.com"; dns.query; content:"takestox.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])takestox\.com$/i"; classtype:trojan-activity; sid:4216711; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain takestox.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"takestox.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])takestox\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216712; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain sidelot.org"; dns.query; content:"sidelot.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])sidelot\.org$/i"; classtype:trojan-activity; sid:4216721; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain sidelot.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sidelot.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sidelot\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216722; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain powercodings.com"; dns.query; content:"powercodings.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])powercodings\.com$/i"; classtype:trojan-activity; sid:4216731; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain powercodings.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"powercodings.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])powercodings\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216732; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain naturemeter.org"; dns.query; content:"naturemeter.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])naturemeter\.org$/i"; classtype:trojan-activity; sid:4216741; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain naturemeter.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"naturemeter.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])naturemeter\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216742; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain takebreak.io"; dns.query; content:"takebreak.io"; nocase; pcre: "/(^|[^A-Za-z0-9-])takebreak\.io$/i"; classtype:trojan-activity; sid:4216751; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain takebreak.io"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"takebreak.io"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])takebreak\.io[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216752; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain noraplant.com"; dns.query; content:"noraplant.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])noraplant\.com$/i"; classtype:trojan-activity; sid:4216761; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain noraplant.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"noraplant.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])noraplant\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216762; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain goodsforuw.com"; dns.query; content:"goodsforuw.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])goodsforuw\.com$/i"; classtype:trojan-activity; sid:4216771; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain goodsforuw.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"goodsforuw.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])goodsforuw\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216772; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain stayle.co"; dns.query; content:"stayle.co"; nocase; pcre: "/(^|[^A-Za-z0-9-])stayle\.co$/i"; classtype:trojan-activity; sid:4216781; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain stayle.co"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"stayle.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])stayle\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216782; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain eedloversra.online"; dns.query; content:"eedloversra.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])eedloversra\.online$/i"; classtype:trojan-activity; sid:4216791; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain eedloversra.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"eedloversra.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])eedloversra\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216792; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain sevensdfe.com"; dns.query; content:"sevensdfe.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sevensdfe\.com$/i"; classtype:trojan-activity; sid:4216801; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain sevensdfe.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sevensdfe.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sevensdfe\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216802; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain dsudro.com"; dns.query; content:"dsudro.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])dsudro\.com$/i"; classtype:trojan-activity; sid:4216811; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain dsudro.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dsudro.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dsudro\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216812; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain sseamb.com"; dns.query; content:"sseamb.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sseamb\.com$/i"; classtype:trojan-activity; sid:4216821; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain sseamb.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sseamb.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sseamb\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216822; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain recover-your-body.xyz"; dns.query; content:"recover-your-body.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])recover\-your\-body\.xyz$/i"; classtype:trojan-activity; sid:4216831; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain recover-your-body.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"recover-your-body.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])recover\-your\-body\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216832; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain reloadyourbrowser.info"; dns.query; content:"reloadyourbrowser.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])reloadyourbrowser\.info$/i"; classtype:trojan-activity; sid:4216841; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain reloadyourbrowser.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"reloadyourbrowser.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])reloadyourbrowser\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216842; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain comeandpet.me"; dns.query; content:"comeandpet.me"; nocase; pcre: "/(^|[^A-Za-z0-9-])comeandpet\.me$/i"; classtype:trojan-activity; sid:4216851; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain comeandpet.me"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"comeandpet.me"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])comeandpet\.me[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216852; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain brushyourteeth.online"; dns.query; content:"brushyourteeth.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])brushyourteeth\.online$/i"; classtype:trojan-activity; sid:4216861; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain brushyourteeth.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"brushyourteeth.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])brushyourteeth\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216862; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain digital-mar.com"; dns.query; content:"digital-mar.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])digital\-mar\.com$/i"; classtype:trojan-activity; sid:4216871; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain digital-mar.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"digital-mar.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])digital\-mar\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216872; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain retailmark.net"; dns.query; content:"retailmark.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])retailmark\.net$/i"; classtype:trojan-activity; sid:4216881; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain retailmark.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"retailmark.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])retailmark\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216882; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain studysliii.com"; dns.query; content:"studysliii.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])studysliii\.com$/i"; classtype:trojan-activity; sid:4216891; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain studysliii.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"studysliii.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])studysliii\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216892; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain homeigardens.com"; dns.query; content:"homeigardens.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])homeigardens\.com$/i"; classtype:trojan-activity; sid:4216901; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain homeigardens.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"homeigardens.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])homeigardens\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216902; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain koraliowe.com"; dns.query; content:"koraliowe.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])koraliowe\.com$/i"; classtype:trojan-activity; sid:4216911; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain koraliowe.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"koraliowe.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])koraliowe\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216912; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain topuprr.com"; dns.query; content:"topuprr.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])topuprr\.com$/i"; classtype:trojan-activity; sid:4216921; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain topuprr.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"topuprr.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])topuprr\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216922; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain zeebefg.com"; dns.query; content:"zeebefg.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])zeebefg\.com$/i"; classtype:trojan-activity; sid:4216931; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain zeebefg.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"zeebefg.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])zeebefg\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216932; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain newsbuiltin.online"; dns.query; content:"newsbuiltin.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])newsbuiltin\.online$/i"; classtype:trojan-activity; sid:4216941; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain newsbuiltin.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"newsbuiltin.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])newsbuiltin\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216942; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain jyfa.xyz"; dns.query; content:"jyfa.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])jyfa\.xyz$/i"; classtype:trojan-activity; sid:4216951; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain jyfa.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jyfa.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jyfa\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216952; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain thepila.com"; dns.query; content:"thepila.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])thepila\.com$/i"; classtype:trojan-activity; sid:4216961; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain thepila.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"thepila.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])thepila\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216962; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain thegreenlight.xyz"; dns.query; content:"thegreenlight.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])thegreenlight\.xyz$/i"; classtype:trojan-activity; sid:4216971; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain thegreenlight.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"thegreenlight.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])thegreenlight\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216972; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain gosport24.com"; dns.query; content:"gosport24.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])gosport24\.com$/i"; classtype:trojan-activity; sid:4216981; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain gosport24.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gosport24.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gosport24\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216982; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain classiccolor.live"; dns.query; content:"classiccolor.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])classiccolor\.live$/i"; classtype:trojan-activity; sid:4216991; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain classiccolor.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"classiccolor.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])classiccolor\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4216992; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain shoeszise.xyz"; dns.query; content:"shoeszise.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])shoeszise\.xyz$/i"; classtype:trojan-activity; sid:4217001; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain shoeszise.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"shoeszise.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])shoeszise\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4217002; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain cleanitgo.info"; dns.query; content:"cleanitgo.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])cleanitgo\.info$/i"; classtype:trojan-activity; sid:4217011; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain cleanitgo.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cleanitgo.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cleanitgo\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4217012; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain setclass.live"; dns.query; content:"setclass.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])setclass\.live$/i"; classtype:trojan-activity; sid:4217021; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain setclass.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"setclass.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])setclass\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4217022; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain white-rhino.online"; dns.query; content:"white-rhino.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])white\-rhino\.online$/i"; classtype:trojan-activity; sid:4217031; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain white-rhino.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"white-rhino.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])white\-rhino\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4217032; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain space-moon.com"; dns.query; content:"space-moon.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])space\-moon\.com$/i"; classtype:trojan-activity; sid:4217041; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain space-moon.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"space-moon.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])space\-moon\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4217042; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain enrollering.com"; dns.query; content:"enrollering.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])enrollering\.com$/i"; classtype:trojan-activity; sid:4217051; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain enrollering.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"enrollering.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])enrollering\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4217052; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain newslocalupdates.com"; dns.query; content:"newslocalupdates.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])newslocalupdates\.com$/i"; classtype:trojan-activity; sid:4217061; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain newslocalupdates.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"newslocalupdates.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])newslocalupdates\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4217062; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain beendos.com"; dns.query; content:"beendos.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])beendos\.com$/i"; classtype:trojan-activity; sid:4217071; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain beendos.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"beendos.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])beendos\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4217072; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain linestrip.online"; dns.query; content:"linestrip.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])linestrip\.online$/i"; classtype:trojan-activity; sid:4217081; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain linestrip.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"linestrip.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])linestrip\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4217082; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert dns any any -> any any (msg: "MISP e354 [tlp:white] Domain sunnyweek.site"; dns.query; content:"sunnyweek.site"; nocase; pcre: "/(^|[^A-Za-z0-9-])sunnyweek\.site$/i"; classtype:trojan-activity; sid:4217091; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e354 [tlp:white] Outgoing HTTP Domain sunnyweek.site"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sunnyweek.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sunnyweek\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4217092; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/354;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e355 [tlp:white] Outgoing URL https|3a|//www.tradingtechnologies.com/trading/order-management"; tls.sni; content:"www.tradingtechnologies.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4217331; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/355;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e356 [tlp:white] Outgoing URL https|3a|//gmall-52fb5-default-rtdb.asia-southeast1.firebasedatabase.app/"; tls.sni; content:"gmall-52fb5-default-rtdb.asia-southeast1.firebasedatabase.app"; tag:session,600,seconds; classtype:trojan-activity; sid:4217671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/356;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e356 [tlp:white] Outgoing URL https|3a|//go0gle-service-default-rtdb.firebaseio.com/"; tls.sni; content:"go0gle-service-default-rtdb.firebaseio.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4217681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/356;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e356 [tlp:white] Outgoing URL https|3a|//graph.microsoft.com/beta/users/3517e816-6719-4b16-9b40-63cc779da77c/mailFolders"; tls.sni; content:"graph.microsoft.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4217691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/356;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e356 [tlp:white] Outgoing URL https|3a|//www.dropbox.com/s/6a8u8wlpvv73fe4/"; tls.sni; content:"www.dropbox.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4217701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/356;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e356 [tlp:white] Outgoing URL https|3a|//www.dropbox.com/s/hbc5yz8z116zbi9/"; tls.sni; content:"www.dropbox.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4217711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/356;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e356 [tlp:white] Outgoing URL https|3a|//socialmsdnmicrosoft.azurewebsites.net/AAA/"; tls.sni; content:"socialmsdnmicrosoft.azurewebsites.net"; tag:session,600,seconds; classtype:trojan-activity; sid:4217721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/356;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e356 [tlp:white] Outgoing URL https|3a|//socialmsdnmicrosoft.azurewebsites.net/ABB/"; tls.sni; content:"socialmsdnmicrosoft.azurewebsites.net"; tag:session,600,seconds; classtype:trojan-activity; sid:4217731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/356;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e356 [tlp:white] Outgoing URL https|3a|//socialmsdnmicrosoft.azurewebsites.net/AMA/"; tls.sni; content:"socialmsdnmicrosoft.azurewebsites.net"; tag:session,600,seconds; classtype:trojan-activity; sid:4217741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/356;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e356 [tlp:white] Outgoing URL https|3a|//socialmsdnmicrosoft.azurewebsites.net/AS/"; tls.sni; content:"socialmsdnmicrosoft.azurewebsites.net"; tag:session,600,seconds; classtype:trojan-activity; sid:4217751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/356;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e356 [tlp:white] Outgoing URL https|3a|//akam.azurewebsites.net/api/File/Upload"; tls.sni; content:"akam.azurewebsites.net"; tag:session,600,seconds; classtype:trojan-activity; sid:4217761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/356;) alert ip $HOME_NET any -> 193.29.56.122 any (msg: "MISP e356 [tlp:white] Outgoing To IP: 193.29.56.122"; classtype:trojan-activity; sid:4217771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/356;) alert ip $HOME_NET any -> 91.228.147.23 any (msg: "MISP e360 [tlp:white] Outgoing To IP: 91.228.147.23"; classtype:trojan-activity; sid:4218451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/360;) alert dns any any -> any any (msg: "MISP e360 [tlp:white] Domain curveroad.com"; dns.query; content:"curveroad.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])curveroad\.com$/i"; classtype:trojan-activity; sid:4218461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/360;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e360 [tlp:white] Outgoing HTTP Domain curveroad.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"curveroad.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])curveroad\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4218462; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/360;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e359 [tlp:white,misp-galaxy:misp-attack-pattern="Initial Access - Phishing [T1566]",misp-galaxy:misp-attack-pattern="Credential Access - OS Credential Dumping: NTDS [T1003.003]",misp-galaxy:misp-attack-pattern="Persistence - Create Account: Local Account [T1136.001]",misp-galaxy:misp-attack-pattern="Exfiltration - Exfiltration Over Alternative Protocol [T1048]",misp-galaxy:misp-attack-pattern="Discovery - Permission Groups Discovery: Domain Groups [T1069.002]",misp-galaxy:misp-attack-pattern="Discovery - Query Registry [T1012]",misp-galaxy:misp-attack-pattern="Resource Development - Develop Capabilities: Malware [T1587.001]",misp-galaxy:misp-attack-pattern="Command and Control - Remote File Copy [T1105]",misp-galaxy:misp-attack-pattern="Lateral Movement - Remote Services: Remote Desktop Protocol [T1021.001]",misp-galaxy:misp-attack-pattern="Impact - Data Encrypted for Impact [T1486]",misp-galaxy:misp-attack-pattern="Discovery - Network Service Discovery[T1046]",misp-galaxy:misp-attack-pattern="Discovery - File and Directory Discovery [T1083]",misp-galaxy:misp-attack-pattern="Collection - Clipboard Data [T1115]",misp-galaxy:misp-attack-pattern="Exfiltration - Exfiltration Over Web Service: Exfiltration to Cloud Storage [T1567.002]",misp-galaxy:misp-attack-pattern="Discovery - Account Discovery: Domain Account [T1087.002]",misp-galaxy:misp-attack-pattern="Execution - Scheduled Task/Job: Scheduled Task [T1053.005]",misp-galaxy:misp-attack-pattern="Credential Access - Unsecured Credentials: Credentials In Files [T1552.001]",misp-galaxy:misp-attack-pattern="Execution - Command and Scripting Interpreter: Windows Command Shell [T1059.003]",misp-galaxy:misp-attack-pattern="Credential Access - OS Credential Dumping: LSASS Memory [T1003.001]",misp-galaxy:misp-attack-pattern="Command and Control - Remote Access Software [T1219]",misp-galaxy:misp-attack-pattern="Defense Evasion - Modify Registry [T1112]",misp-galaxy:misp-attack-pattern="Discovery - Network Share Discovery [T1135]",misp-galaxy:misp-attack-pattern="Discovery - Domain Trust Discovery [T1482]",misp-galaxy:misp-attack-pattern="Discovery - System Owner/User Discovery [T1033]",misp-galaxy:misp-attack-pattern="Defense Evasion - Impair Defenses: Disable or Modify Tools [T1562.001]",misp-galaxy:misp-attack-pattern="Privilege Escalation - Valid Accounts [T1078]",misp-galaxy:misp-attack-pattern="Defense Evasion - Impair Defenses: Disable or Modify System Firewall [T1562.004]",misp-galaxy:misp-attack-pattern="Discovery - Remote System Discovery [T1018]",misp-galaxy:misp-attack-pattern="Persistence - Account Manipulation [T1098]",misp-galaxy:misp-attack-pattern="Execution - Command and Scripting Interpreter: PowerShell [T1059.001]",misp-galaxy:misp-attack-pattern="Exfiltration - Transfer Data to Cloud Account [T1537]",misp-galaxy:malpedia="BianLian"] Outgoing URL http|3a|//bianlianlbc5an4kgnay3opdemgcryg2gnay3opdemgcryg2kpfcbgczopmm3dnbz3uaunad.onion"; flow:to_server,established; http.header; content:"bianlianlbc5an4kgnay3opdemgcryg2gnay3opdemgcryg2kpfcbgczopmm3dnbz3uaunad.onion"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4218131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/359;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e359 [tlp:white,misp-galaxy:misp-attack-pattern="Initial Access - Phishing [T1566]",misp-galaxy:misp-attack-pattern="Credential Access - OS Credential Dumping: NTDS [T1003.003]",misp-galaxy:misp-attack-pattern="Persistence - Create Account: Local Account [T1136.001]",misp-galaxy:misp-attack-pattern="Exfiltration - Exfiltration Over Alternative Protocol [T1048]",misp-galaxy:misp-attack-pattern="Discovery - Permission Groups Discovery: Domain Groups [T1069.002]",misp-galaxy:misp-attack-pattern="Discovery - Query Registry [T1012]",misp-galaxy:misp-attack-pattern="Resource Development - Develop Capabilities: Malware [T1587.001]",misp-galaxy:misp-attack-pattern="Command and Control - Remote File Copy [T1105]",misp-galaxy:misp-attack-pattern="Lateral Movement - Remote Services: Remote Desktop Protocol [T1021.001]",misp-galaxy:misp-attack-pattern="Impact - Data Encrypted for Impact [T1486]",misp-galaxy:misp-attack-pattern="Discovery - Network Service Discovery[T1046]",misp-galaxy:misp-attack-pattern="Discovery - File and Directory Discovery [T1083]",misp-galaxy:misp-attack-pattern="Collection - Clipboard Data [T1115]",misp-galaxy:misp-attack-pattern="Exfiltration - Exfiltration Over Web Service: Exfiltration to Cloud Storage [T1567.002]",misp-galaxy:misp-attack-pattern="Discovery - Account Discovery: Domain Account [T1087.002]",misp-galaxy:misp-attack-pattern="Execution - Scheduled Task/Job: Scheduled Task [T1053.005]",misp-galaxy:misp-attack-pattern="Credential Access - Unsecured Credentials: Credentials In Files [T1552.001]",misp-galaxy:misp-attack-pattern="Execution - Command and Scripting Interpreter: Windows Command Shell [T1059.003]",misp-galaxy:misp-attack-pattern="Credential Access - OS Credential Dumping: LSASS Memory [T1003.001]",misp-galaxy:misp-attack-pattern="Command and Control - Remote Access Software [T1219]",misp-galaxy:misp-attack-pattern="Defense Evasion - Modify Registry [T1112]",misp-galaxy:misp-attack-pattern="Discovery - Network Share Discovery [T1135]",misp-galaxy:misp-attack-pattern="Discovery - Domain Trust Discovery [T1482]",misp-galaxy:misp-attack-pattern="Discovery - System Owner/User Discovery [T1033]",misp-galaxy:misp-attack-pattern="Defense Evasion - Impair Defenses: Disable or Modify Tools [T1562.001]",misp-galaxy:misp-attack-pattern="Privilege Escalation - Valid Accounts [T1078]",misp-galaxy:misp-attack-pattern="Defense Evasion - Impair Defenses: Disable or Modify System Firewall [T1562.004]",misp-galaxy:misp-attack-pattern="Discovery - Remote System Discovery [T1018]",misp-galaxy:misp-attack-pattern="Persistence - Account Manipulation [T1098]",misp-galaxy:misp-attack-pattern="Execution - Command and Scripting Interpreter: PowerShell [T1059.001]",misp-galaxy:misp-attack-pattern="Exfiltration - Transfer Data to Cloud Account [T1537]",misp-galaxy:malpedia="BianLian"] Source Email Address: xxx@mail2tor.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"xxx@mail2tor.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4218141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/359;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e359 [tlp:white,misp-galaxy:misp-attack-pattern="Initial Access - Phishing [T1566]",misp-galaxy:misp-attack-pattern="Credential Access - OS Credential Dumping: NTDS [T1003.003]",misp-galaxy:misp-attack-pattern="Persistence - Create Account: Local Account [T1136.001]",misp-galaxy:misp-attack-pattern="Exfiltration - Exfiltration Over Alternative Protocol [T1048]",misp-galaxy:misp-attack-pattern="Discovery - Permission Groups Discovery: Domain Groups [T1069.002]",misp-galaxy:misp-attack-pattern="Discovery - Query Registry [T1012]",misp-galaxy:misp-attack-pattern="Resource Development - Develop Capabilities: Malware [T1587.001]",misp-galaxy:misp-attack-pattern="Command and Control - Remote File Copy [T1105]",misp-galaxy:misp-attack-pattern="Lateral Movement - Remote Services: Remote Desktop Protocol [T1021.001]",misp-galaxy:misp-attack-pattern="Impact - Data Encrypted for Impact [T1486]",misp-galaxy:misp-attack-pattern="Discovery - Network Service Discovery[T1046]",misp-galaxy:misp-attack-pattern="Discovery - File and Directory Discovery [T1083]",misp-galaxy:misp-attack-pattern="Collection - Clipboard Data [T1115]",misp-galaxy:misp-attack-pattern="Exfiltration - Exfiltration Over Web Service: Exfiltration to Cloud Storage [T1567.002]",misp-galaxy:misp-attack-pattern="Discovery - Account Discovery: Domain Account [T1087.002]",misp-galaxy:misp-attack-pattern="Execution - Scheduled Task/Job: Scheduled Task [T1053.005]",misp-galaxy:misp-attack-pattern="Credential Access - Unsecured Credentials: Credentials In Files [T1552.001]",misp-galaxy:misp-attack-pattern="Execution - Command and Scripting Interpreter: Windows Command Shell [T1059.003]",misp-galaxy:misp-attack-pattern="Credential Access - OS Credential Dumping: LSASS Memory [T1003.001]",misp-galaxy:misp-attack-pattern="Command and Control - Remote Access Software [T1219]",misp-galaxy:misp-attack-pattern="Defense Evasion - Modify Registry [T1112]",misp-galaxy:misp-attack-pattern="Discovery - Network Share Discovery [T1135]",misp-galaxy:misp-attack-pattern="Discovery - Domain Trust Discovery [T1482]",misp-galaxy:misp-attack-pattern="Discovery - System Owner/User Discovery [T1033]",misp-galaxy:misp-attack-pattern="Defense Evasion - Impair Defenses: Disable or Modify Tools [T1562.001]",misp-galaxy:misp-attack-pattern="Privilege Escalation - Valid Accounts [T1078]",misp-galaxy:misp-attack-pattern="Defense Evasion - Impair Defenses: Disable or Modify System Firewall [T1562.004]",misp-galaxy:misp-attack-pattern="Discovery - Remote System Discovery [T1018]",misp-galaxy:misp-attack-pattern="Persistence - Account Manipulation [T1098]",misp-galaxy:misp-attack-pattern="Execution - Command and Scripting Interpreter: PowerShell [T1059.001]",misp-galaxy:misp-attack-pattern="Exfiltration - Transfer Data to Cloud Account [T1537]",misp-galaxy:malpedia="BianLian"] Source Email Address: swikipedia@onionmail.org"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"swikipedia@onionmail.org"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4218151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/359;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing URL hxxs|3a|//paknavy.defpak.org/5973/1/8665/2/0/0/0/m/files-f8fd19ec/file.rtf"; flow:to_server,established; http.uri; content:"hxxs|3a|//paknavy.defpak.org/5973/1/8665/2/0/0/0/m/files-f8fd19ec/file.rtf"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4218561; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname paknavy.defpak.org"; dns.query; content:"paknavy.defpak.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])paknavy\.defpak\.org$/i"; classtype:trojan-activity; sid:4218571; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname paknavy.defpak.org"; flow:to_server,established; http.header; content: "Host|3a| paknavy.defpak.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])paknavy\.defpak\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4218572; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing URL https|3a|//cstc-spares-vip-163.dowmload.net/14668/1/1228/2/0/0/0/m/files-403a1120/file.rtf"; tls.sni; content:"cstc-spares-vip-163.dowmload.net"; tag:session,600,seconds; classtype:trojan-activity; sid:4218601; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname cstc-spares-vip-163.dowmload.net"; dns.query; content:"cstc-spares-vip-163.dowmload.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cstc\-spares\-vip\-163\.dowmload\.net$/i"; classtype:trojan-activity; sid:4218611; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname cstc-spares-vip-163.dowmload.net"; flow:to_server,established; http.header; content: "Host|3a| cstc-spares-vip-163.dowmload.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cstc\-spares\-vip\-163\.dowmload\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4218612; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing URL https|3a|//mtss.bol-south.org/5974/1/8682/2/0/0/0/m/files-b2dff0ca/file.rtf"; tls.sni; content:"mtss.bol-south.org"; tag:session,600,seconds; classtype:trojan-activity; sid:4218641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname mtss.bol-south.org"; dns.query; content:"mtss.bol-south.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mtss\.bol\-south\.org$/i"; classtype:trojan-activity; sid:4218651; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname mtss.bol-south.org"; flow:to_server,established; http.header; content: "Host|3a| mtss.bol-south.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mtss\.bol\-south\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4218652; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing URL hxxs|3a|//pnwc.bol-north.com/5808/1/3686/2/0/0/0/m/files-a2e589d2/file.rtf"; flow:to_server,established; http.uri; content:"hxxs|3a|//pnwc.bol-north.com/5808/1/3686/2/0/0/0/m/files-a2e589d2/file.rtf"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4218681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname pnwc.bol-north.com"; dns.query; content:"pnwc.bol-north.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])pnwc\.bol\-north\.com$/i"; classtype:trojan-activity; sid:4218691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname pnwc.bol-north.com"; flow:to_server,established; http.header; content: "Host|3a| pnwc.bol-north.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])pnwc\.bol\-north\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4218692; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing URL https|3a|//mailtsinghua.sinacn.co/3679/1/55554/2/0/0/0/m/files-94c98cfb/hta"; tls.sni; content:"mailtsinghua.sinacn.co"; tag:session,600,seconds; classtype:trojan-activity; sid:4218721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname mailtsinghua.sinacn.co"; dns.query; content:"mailtsinghua.sinacn.co"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mailtsinghua\.sinacn\.co$/i"; classtype:trojan-activity; sid:4218731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname mailtsinghua.sinacn.co"; flow:to_server,established; http.header; content: "Host|3a| mailtsinghua.sinacn.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mailtsinghua\.sinacn\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4218732; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing URL https|3a|//mailv.mofs-gov.org|3a|443/3669/1/24459/2/0/1/1850451727/6JOo39NpphBz5V3XOKZff9AGJH3RNAJuLvBQptc1/files-94603e7f/hta"; tls.sni; content:"mailv.mofs-gov.org"; tag:session,600,seconds; classtype:trojan-activity; sid:4218761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname mailv.mofs-gov.org"; dns.query; content:"mailv.mofs-gov.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mailv\.mofs\-gov\.org$/i"; classtype:trojan-activity; sid:4218771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname mailv.mofs-gov.org"; flow:to_server,established; http.header; content: "Host|3a| mailv.mofs-gov.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mailv\.mofs\-gov\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4218772; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing URL https|3a|//games.srv-app.co/669/1/1970/2/0/0/1764305594/2X1R9Tw7c5eSvLpCCwnl0X7C0zhfHLA6RJzJ0ADS/files-82dfc144/appxed"; tls.sni; content:"games.srv-app.co"; tag:session,600,seconds; classtype:trojan-activity; sid:4218791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname games.srv-app.co"; dns.query; content:"games.srv-app.co"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])games\.srv\-app\.co$/i"; classtype:trojan-activity; sid:4218801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname games.srv-app.co"; flow:to_server,established; http.header; content: "Host|3a| games.srv-app.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])games\.srv\-app\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4218802; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 185.205.187.234 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 185.205.187.234"; classtype:trojan-activity; sid:4218931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname pk.downld.net"; dns.query; content:"pk.downld.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])pk\.downld\.net$/i"; classtype:trojan-activity; sid:4218941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname pk.downld.net"; flow:to_server,established; http.header; content: "Host|3a| pk.downld.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])pk\.downld\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4218942; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname paknavy-gov-pk.downld.net"; dns.query; content:"paknavy-gov-pk.downld.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])paknavy\-gov\-pk\.downld\.net$/i"; classtype:trojan-activity; sid:4218951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname paknavy-gov-pk.downld.net"; flow:to_server,established; http.header; content: "Host|3a| paknavy-gov-pk.downld.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])paknavy\-gov\-pk\.downld\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4218952; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain downld.net"; dns.query; content:"downld.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])downld\.net$/i"; classtype:trojan-activity; sid:4218961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain downld.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"downld.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])downld\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4218962; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 104.128.189.242 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 104.128.189.242"; classtype:trojan-activity; sid:4218971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain cpec.site"; dns.query; content:"cpec.site"; nocase; pcre: "/(^|[^A-Za-z0-9-])cpec\.site$/i"; classtype:trojan-activity; sid:4218981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain cpec.site"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cpec.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cpec\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4218982; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 138.68.160.176 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 138.68.160.176"; classtype:trojan-activity; sid:4218991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain sindhpolice-govpk.org"; dns.query; content:"sindhpolice-govpk.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])sindhpolice\-govpk\.org$/i"; classtype:trojan-activity; sid:4219001; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain sindhpolice-govpk.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sindhpolice-govpk.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sindhpolice\-govpk\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219002; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain sbp-pk.org"; dns.query; content:"sbp-pk.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])sbp\-pk\.org$/i"; classtype:trojan-activity; sid:4219011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain sbp-pk.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sbp-pk.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sbp\-pk\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219012; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain helpdesk-gov.info"; dns.query; content:"helpdesk-gov.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])helpdesk\-gov\.info$/i"; classtype:trojan-activity; sid:4219021; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain helpdesk-gov.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"helpdesk-gov.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])helpdesk\-gov\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219022; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 149.154.152.37 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 149.154.152.37"; classtype:trojan-activity; sid:4219031; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain paf-govt.net"; dns.query; content:"paf-govt.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])paf\-govt\.net$/i"; classtype:trojan-activity; sid:4219041; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain paf-govt.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"paf-govt.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])paf\-govt\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219042; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain bluedoor.click"; dns.query; content:"bluedoor.click"; nocase; pcre: "/(^|[^A-Za-z0-9-])bluedoor\.click$/i"; classtype:trojan-activity; sid:4219051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain bluedoor.click"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bluedoor.click"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bluedoor\.click[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219052; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 149.154.154.216 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 149.154.154.216"; classtype:trojan-activity; sid:4219061; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain shortney.org"; dns.query; content:"shortney.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])shortney\.org$/i"; classtype:trojan-activity; sid:4219071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain shortney.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"shortney.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])shortney\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219072; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 149.154.154.65 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 149.154.154.65"; classtype:trojan-activity; sid:4219081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain storeapp.site"; dns.query; content:"storeapp.site"; nocase; pcre: "/(^|[^A-Za-z0-9-])storeapp\.site$/i"; classtype:trojan-activity; sid:4219091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain storeapp.site"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"storeapp.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])storeapp\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219092; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 151.236.14.56 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 151.236.14.56"; classtype:trojan-activity; sid:4219101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname reth.cvix.cc"; dns.query; content:"reth.cvix.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])reth\.cvix\.cc$/i"; classtype:trojan-activity; sid:4219111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname reth.cvix.cc"; flow:to_server,established; http.header; content: "Host|3a| reth.cvix.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])reth\.cvix\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219112; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 151.236.21.16 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 151.236.21.16"; classtype:trojan-activity; sid:4219121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname kito.countpro.info"; dns.query; content:"kito.countpro.info"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])kito\.countpro\.info$/i"; classtype:trojan-activity; sid:4219131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname kito.countpro.info"; flow:to_server,established; http.header; content: "Host|3a| kito.countpro.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])kito\.countpro\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219132; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 151.236.21.70 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 151.236.21.70"; classtype:trojan-activity; sid:4219141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain ptcl-govp.org"; dns.query; content:"ptcl-govp.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])ptcl\-govp\.org$/i"; classtype:trojan-activity; sid:4219151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain ptcl-govp.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ptcl-govp.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ptcl\-govp\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219152; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 151.236.25.121 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 151.236.25.121"; classtype:trojan-activity; sid:4219161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname insert.roteh.site"; dns.query; content:"insert.roteh.site"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])insert\.roteh\.site$/i"; classtype:trojan-activity; sid:4219171; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname insert.roteh.site"; flow:to_server,established; http.header; content: "Host|3a| insert.roteh.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])insert\.roteh\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219172; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname active.roteh.site"; dns.query; content:"active.roteh.site"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])active\.roteh\.site$/i"; classtype:trojan-activity; sid:4219181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname active.roteh.site"; flow:to_server,established; http.header; content: "Host|3a| active.roteh.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])active\.roteh\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219182; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 151.236.5.250 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 151.236.5.250"; classtype:trojan-activity; sid:4219191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain ailyun.live"; dns.query; content:"ailyun.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])ailyun\.live$/i"; classtype:trojan-activity; sid:4219201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain ailyun.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ailyun.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ailyun\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219202; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 158.255.211.188 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 158.255.211.188"; classtype:trojan-activity; sid:4219211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain mofs-gov.org"; dns.query; content:"mofs-gov.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])mofs\-gov\.org$/i"; classtype:trojan-activity; sid:4219221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain mofs-gov.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mofs-gov.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mofs\-gov\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219222; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 158.255.212.140 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 158.255.212.140"; classtype:trojan-activity; sid:4219231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain preat.info"; dns.query; content:"preat.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])preat\.info$/i"; classtype:trojan-activity; sid:4219241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain preat.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"preat.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])preat\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219242; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 161.129.64.98 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 161.129.64.98"; classtype:trojan-activity; sid:4219251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain msoft-updt.net"; dns.query; content:"msoft-updt.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])msoft\-updt\.net$/i"; classtype:trojan-activity; sid:4219261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain msoft-updt.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"msoft-updt.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])msoft\-updt\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219262; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 172.93.162.117 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 172.93.162.117"; classtype:trojan-activity; sid:4219271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain inkly.net"; dns.query; content:"inkly.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])inkly\.net$/i"; classtype:trojan-activity; sid:4219281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain inkly.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"inkly.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])inkly\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219282; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 172.93.162.121 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 172.93.162.121"; classtype:trojan-activity; sid:4219291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain paf-govt.info"; dns.query; content:"paf-govt.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])paf\-govt\.info$/i"; classtype:trojan-activity; sid:4219301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain paf-govt.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"paf-govt.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])paf\-govt\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219302; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 172.93.189.46 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 172.93.189.46"; classtype:trojan-activity; sid:4219311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain hread.live"; dns.query; content:"hread.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])hread\.live$/i"; classtype:trojan-activity; sid:4219321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain hread.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hread.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hread\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219322; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 172.96.189.157 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 172.96.189.157"; classtype:trojan-activity; sid:4219331; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname found.neger.site"; dns.query; content:"found.neger.site"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])found\.neger\.site$/i"; classtype:trojan-activity; sid:4219341; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname found.neger.site"; flow:to_server,established; http.header; content: "Host|3a| found.neger.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])found\.neger\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219342; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 172.96.189.243 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 172.96.189.243"; classtype:trojan-activity; sid:4219351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain prol.info"; dns.query; content:"prol.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])prol\.info$/i"; classtype:trojan-activity; sid:4219361; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain prol.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"prol.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])prol\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219362; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 179.43.141.203 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 179.43.141.203"; classtype:trojan-activity; sid:4219371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain e-tohfa.net"; dns.query; content:"e-tohfa.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])e\-tohfa\.net$/i"; classtype:trojan-activity; sid:4219381; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain e-tohfa.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"e-tohfa.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])e\-tohfa\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219382; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 179.43.178.66 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 179.43.178.66"; classtype:trojan-activity; sid:4219391; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain ntc-pk.com"; dns.query; content:"ntc-pk.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ntc\-pk\.com$/i"; classtype:trojan-activity; sid:4219401; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain ntc-pk.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ntc-pk.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ntc\-pk\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219402; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 185.117.90.144 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 185.117.90.144"; classtype:trojan-activity; sid:4219411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain ortra.tech"; dns.query; content:"ortra.tech"; nocase; pcre: "/(^|[^A-Za-z0-9-])ortra\.tech$/i"; classtype:trojan-activity; sid:4219421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain ortra.tech"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ortra.tech"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ortra\.tech[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219422; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 185.174.135.21 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 185.174.135.21"; classtype:trojan-activity; sid:4219431; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname silk.freat.site"; dns.query; content:"silk.freat.site"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])silk\.freat\.site$/i"; classtype:trojan-activity; sid:4219441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname silk.freat.site"; flow:to_server,established; http.header; content: "Host|3a| silk.freat.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])silk\.freat\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219442; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 185.174.135.31 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 185.174.135.31"; classtype:trojan-activity; sid:4219451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain brac.tech"; dns.query; content:"brac.tech"; nocase; pcre: "/(^|[^A-Za-z0-9-])brac\.tech$/i"; classtype:trojan-activity; sid:4219461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain brac.tech"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"brac.tech"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])brac\.tech[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219462; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 185.174.135.57 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 185.174.135.57"; classtype:trojan-activity; sid:4219471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 185.228.83.78 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 185.228.83.78"; classtype:trojan-activity; sid:4219481; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain fdrek.live"; dns.query; content:"fdrek.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])fdrek\.live$/i"; classtype:trojan-activity; sid:4219491; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain fdrek.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fdrek.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fdrek\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219492; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 185.80.53.106 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 185.80.53.106"; classtype:trojan-activity; sid:4219501; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname treat.fraty.info"; dns.query; content:"treat.fraty.info"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])treat\.fraty\.info$/i"; classtype:trojan-activity; sid:4219511; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname treat.fraty.info"; flow:to_server,established; http.header; content: "Host|3a| treat.fraty.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])treat\.fraty\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219512; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 192.71.166.145 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 192.71.166.145"; classtype:trojan-activity; sid:4219521; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname portal.breat.info"; dns.query; content:"portal.breat.info"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])portal\.breat\.info$/i"; classtype:trojan-activity; sid:4219531; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname portal.breat.info"; flow:to_server,established; http.header; content: "Host|3a| portal.breat.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])portal\.breat\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219532; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 192.71.249.34 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 192.71.249.34"; classtype:trojan-activity; sid:4219541; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname cdn.torsey.xyz"; dns.query; content:"cdn.torsey.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cdn\.torsey\.xyz$/i"; classtype:trojan-activity; sid:4219551; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname cdn.torsey.xyz"; flow:to_server,established; http.header; content: "Host|3a| cdn.torsey.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cdn\.torsey\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219552; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 193.200.17.199 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 193.200.17.199"; classtype:trojan-activity; sid:4219561; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname amuck.scoler.tech"; dns.query; content:"amuck.scoler.tech"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])amuck\.scoler\.tech$/i"; classtype:trojan-activity; sid:4219571; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname amuck.scoler.tech"; flow:to_server,established; http.header; content: "Host|3a| amuck.scoler.tech"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])amuck\.scoler\.tech[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219572; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 193.42.36.102 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 193.42.36.102"; classtype:trojan-activity; sid:4219581; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain appsrv.live"; dns.query; content:"appsrv.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])appsrv\.live$/i"; classtype:trojan-activity; sid:4219591; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain appsrv.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"appsrv.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])appsrv\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219592; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 193.42.36.214 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 193.42.36.214"; classtype:trojan-activity; sid:4219601; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname cluster.jotse.info"; dns.query; content:"cluster.jotse.info"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cluster\.jotse\.info$/i"; classtype:trojan-activity; sid:4219611; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname cluster.jotse.info"; flow:to_server,established; http.header; content: "Host|3a| cluster.jotse.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cluster\.jotse\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219612; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 193.42.36.223 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 193.42.36.223"; classtype:trojan-activity; sid:4219621; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain cssc-net.co"; dns.query; content:"cssc-net.co"; nocase; pcre: "/(^|[^A-Za-z0-9-])cssc\-net\.co$/i"; classtype:trojan-activity; sid:4219631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain cssc-net.co"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cssc-net.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cssc\-net\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219632; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 193.42.36.25 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 193.42.36.25"; classtype:trojan-activity; sid:4219641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname split.tyoin.biz"; dns.query; content:"split.tyoin.biz"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])split\.tyoin\.biz$/i"; classtype:trojan-activity; sid:4219651; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname split.tyoin.biz"; flow:to_server,established; http.header; content: "Host|3a| split.tyoin.biz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])split\.tyoin\.biz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219652; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 193.42.36.50 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 193.42.36.50"; classtype:trojan-activity; sid:4219661; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain plors.tech"; dns.query; content:"plors.tech"; nocase; pcre: "/(^|[^A-Za-z0-9-])plors\.tech$/i"; classtype:trojan-activity; sid:4219671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain plors.tech"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"plors.tech"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])plors\.tech[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219672; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 193.42.36.86 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 193.42.36.86"; classtype:trojan-activity; sid:4219681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain gretic.info"; dns.query; content:"gretic.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])gretic\.info$/i"; classtype:trojan-activity; sid:4219691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain gretic.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gretic.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gretic\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219692; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 193.42.39.34 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 193.42.39.34"; classtype:trojan-activity; sid:4219701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname offshore.leron.info"; dns.query; content:"offshore.leron.info"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])offshore\.leron\.info$/i"; classtype:trojan-activity; sid:4219711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname offshore.leron.info"; flow:to_server,established; http.header; content: "Host|3a| offshore.leron.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])offshore\.leron\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219712; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 194.61.121.176 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 194.61.121.176"; classtype:trojan-activity; sid:4219721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname zone.vtray.tech"; dns.query; content:"zone.vtray.tech"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])zone\.vtray\.tech$/i"; classtype:trojan-activity; sid:4219731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname zone.vtray.tech"; flow:to_server,established; http.header; content: "Host|3a| zone.vtray.tech"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])zone\.vtray\.tech[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219732; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 194.61.121.216 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 194.61.121.216"; classtype:trojan-activity; sid:4219741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain mfagov.org"; dns.query; content:"mfagov.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])mfagov\.org$/i"; classtype:trojan-activity; sid:4219751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain mfagov.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mfagov.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mfagov\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219752; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 194.68.225.13 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 194.68.225.13"; classtype:trojan-activity; sid:4219761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname jester.hyat.tech"; dns.query; content:"jester.hyat.tech"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])jester\.hyat\.tech$/i"; classtype:trojan-activity; sid:4219771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname jester.hyat.tech"; flow:to_server,established; http.header; content: "Host|3a| jester.hyat.tech"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])jester\.hyat\.tech[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219772; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 194.71.227.147 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 194.71.227.147"; classtype:trojan-activity; sid:4219781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain islamic-path.com"; dns.query; content:"islamic-path.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])islamic\-path\.com$/i"; classtype:trojan-activity; sid:4219791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain islamic-path.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"islamic-path.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])islamic\-path\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219792; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 194.71.227.64 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 194.71.227.64"; classtype:trojan-activity; sid:4219801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain enclose.info"; dns.query; content:"enclose.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])enclose\.info$/i"; classtype:trojan-activity; sid:4219811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain enclose.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"enclose.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])enclose\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219812; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname hostmaster.enclose.info"; dns.query; content:"hostmaster.enclose.info"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])hostmaster\.enclose\.info$/i"; classtype:trojan-activity; sid:4219821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname hostmaster.enclose.info"; flow:to_server,established; http.header; content: "Host|3a| hostmaster.enclose.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])hostmaster\.enclose\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219822; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname gitlab.enclose.info"; dns.query; content:"gitlab.enclose.info"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])gitlab\.enclose\.info$/i"; classtype:trojan-activity; sid:4219831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname gitlab.enclose.info"; flow:to_server,established; http.header; content: "Host|3a| gitlab.enclose.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])gitlab\.enclose\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219832; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname sdfsdg.enclose.info"; dns.query; content:"sdfsdg.enclose.info"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sdfsdg\.enclose\.info$/i"; classtype:trojan-activity; sid:4219841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname sdfsdg.enclose.info"; flow:to_server,established; http.header; content: "Host|3a| sdfsdg.enclose.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sdfsdg\.enclose\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219842; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 195.133.192.40 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 195.133.192.40"; classtype:trojan-activity; sid:4219851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname square.oprad.top"; dns.query; content:"square.oprad.top"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])square\.oprad\.top$/i"; classtype:trojan-activity; sid:4219861; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname square.oprad.top"; flow:to_server,established; http.header; content: "Host|3a| square.oprad.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])square\.oprad\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219862; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 198.252.108.219 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 198.252.108.219"; classtype:trojan-activity; sid:4219871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain dsmes.xyz"; dns.query; content:"dsmes.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])dsmes\.xyz$/i"; classtype:trojan-activity; sid:4219881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain dsmes.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dsmes.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dsmes\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219882; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 198.252.108.33 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 198.252.108.33"; classtype:trojan-activity; sid:4219891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname roof.wsink.live"; dns.query; content:"roof.wsink.live"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])roof\.wsink\.live$/i"; classtype:trojan-activity; sid:4219901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname roof.wsink.live"; flow:to_server,established; http.header; content: "Host|3a| roof.wsink.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])roof\.wsink\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219902; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname rugby.wsink.live"; dns.query; content:"rugby.wsink.live"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])rugby\.wsink\.live$/i"; classtype:trojan-activity; sid:4219911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname rugby.wsink.live"; flow:to_server,established; http.header; content: "Host|3a| rugby.wsink.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])rugby\.wsink\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219912; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 2.58.14.202 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 2.58.14.202"; classtype:trojan-activity; sid:4219921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname mat.trelin.tech"; dns.query; content:"mat.trelin.tech"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mat\.trelin\.tech$/i"; classtype:trojan-activity; sid:4219931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname mat.trelin.tech"; flow:to_server,established; http.header; content: "Host|3a| mat.trelin.tech"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mat\.trelin\.tech[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219932; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname spec.trelin.tech"; dns.query; content:"spec.trelin.tech"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])spec\.trelin\.tech$/i"; classtype:trojan-activity; sid:4219941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname spec.trelin.tech"; flow:to_server,established; http.header; content: "Host|3a| spec.trelin.tech"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])spec\.trelin\.tech[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219942; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 2.58.14.249 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 2.58.14.249"; classtype:trojan-activity; sid:4219951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain fia-gov.com"; dns.query; content:"fia-gov.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])fia\-gov\.com$/i"; classtype:trojan-activity; sid:4219961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain fia-gov.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fia-gov.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fia\-gov\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219962; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 2.58.15.61 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 2.58.15.61"; classtype:trojan-activity; sid:4219971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname livo.silvon.site"; dns.query; content:"livo.silvon.site"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])livo\.silvon\.site$/i"; classtype:trojan-activity; sid:4219981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname livo.silvon.site"; flow:to_server,established; http.header; content: "Host|3a| livo.silvon.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])livo\.silvon\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4219982; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 203.24.92.115 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 203.24.92.115"; classtype:trojan-activity; sid:4219991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain gearfill.biz"; dns.query; content:"gearfill.biz"; nocase; pcre: "/(^|[^A-Za-z0-9-])gearfill\.biz$/i"; classtype:trojan-activity; sid:4220001; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain gearfill.biz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gearfill.biz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gearfill\.biz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220002; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 23.106.122.96 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 23.106.122.96"; classtype:trojan-activity; sid:4220011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain georgion.info"; dns.query; content:"georgion.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])georgion\.info$/i"; classtype:trojan-activity; sid:4220021; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain georgion.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"georgion.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])georgion\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220022; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 37.235.56.14 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 37.235.56.14"; classtype:trojan-activity; sid:4220031; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain defpak.org"; dns.query; content:"defpak.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])defpak\.org$/i"; classtype:trojan-activity; sid:4220041; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain defpak.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"defpak.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])defpak\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220042; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 45.14.107.153 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 45.14.107.153"; classtype:trojan-activity; sid:4220051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain tinurl.click"; dns.query; content:"tinurl.click"; nocase; pcre: "/(^|[^A-Za-z0-9-])tinurl\.click$/i"; classtype:trojan-activity; sid:4220061; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain tinurl.click"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tinurl.click"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tinurl\.click[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220062; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 45.147.229.83 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 45.147.229.83"; classtype:trojan-activity; sid:4220071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain olerpic.info"; dns.query; content:"olerpic.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])olerpic\.info$/i"; classtype:trojan-activity; sid:4220081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain olerpic.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"olerpic.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])olerpic\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220082; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname privacy.olerpic.info"; dns.query; content:"privacy.olerpic.info"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])privacy\.olerpic\.info$/i"; classtype:trojan-activity; sid:4220091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname privacy.olerpic.info"; flow:to_server,established; http.header; content: "Host|3a| privacy.olerpic.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])privacy\.olerpic\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220092; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname freedom.olerpic.info"; dns.query; content:"freedom.olerpic.info"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])freedom\.olerpic\.info$/i"; classtype:trojan-activity; sid:4220101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname freedom.olerpic.info"; flow:to_server,established; http.header; content: "Host|3a| freedom.olerpic.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])freedom\.olerpic\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220102; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 45.147.230.157 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 45.147.230.157"; classtype:trojan-activity; sid:4220111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain blesis.live"; dns.query; content:"blesis.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])blesis\.live$/i"; classtype:trojan-activity; sid:4220121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain blesis.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"blesis.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])blesis\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220122; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 45.86.162.110 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 45.86.162.110"; classtype:trojan-activity; sid:4220131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 46.21.153.227 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 46.21.153.227"; classtype:trojan-activity; sid:4220141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname handle.proey.tech"; dns.query; content:"handle.proey.tech"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])handle\.proey\.tech$/i"; classtype:trojan-activity; sid:4220151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname handle.proey.tech"; flow:to_server,established; http.header; content: "Host|3a| handle.proey.tech"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])handle\.proey\.tech[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220152; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname view.proey.tech"; dns.query; content:"view.proey.tech"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])view\.proey\.tech$/i"; classtype:trojan-activity; sid:4220161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname view.proey.tech"; flow:to_server,established; http.header; content: "Host|3a| view.proey.tech"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])view\.proey\.tech[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220162; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 46.30.188.174 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 46.30.188.174"; classtype:trojan-activity; sid:4220171; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname cater.sphery.live"; dns.query; content:"cater.sphery.live"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cater\.sphery\.live$/i"; classtype:trojan-activity; sid:4220181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname cater.sphery.live"; flow:to_server,established; http.header; content: "Host|3a| cater.sphery.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cater\.sphery\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220182; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname endure.sphery.live"; dns.query; content:"endure.sphery.live"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])endure\.sphery\.live$/i"; classtype:trojan-activity; sid:4220191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname endure.sphery.live"; flow:to_server,established; http.header; content: "Host|3a| endure.sphery.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])endure\.sphery\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220192; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 46.30.189.53 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 46.30.189.53"; classtype:trojan-activity; sid:4220201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname focus.mectel.tech"; dns.query; content:"focus.mectel.tech"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])focus\.mectel\.tech$/i"; classtype:trojan-activity; sid:4220211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname focus.mectel.tech"; flow:to_server,established; http.header; content: "Host|3a| focus.mectel.tech"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])focus\.mectel\.tech[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220212; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 46.30.189.54 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 46.30.189.54"; classtype:trojan-activity; sid:4220221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname opt.freay.tech"; dns.query; content:"opt.freay.tech"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])opt\.freay\.tech$/i"; classtype:trojan-activity; sid:4220231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname opt.freay.tech"; flow:to_server,established; http.header; content: "Host|3a| opt.freay.tech"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])opt\.freay\.tech[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220232; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname avail.freay.tech"; dns.query; content:"avail.freay.tech"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])avail\.freay\.tech$/i"; classtype:trojan-activity; sid:4220241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname avail.freay.tech"; flow:to_server,established; http.header; content: "Host|3a| avail.freay.tech"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])avail\.freay\.tech[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220242; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.149.249.186 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.149.249.186"; classtype:trojan-activity; sid:4220251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain awrah.live"; dns.query; content:"awrah.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])awrah\.live$/i"; classtype:trojan-activity; sid:4220261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain awrah.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"awrah.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])awrah\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220262; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.2.74.116 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.2.74.116"; classtype:trojan-activity; sid:4220271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname reveal.troks.site"; dns.query; content:"reveal.troks.site"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])reveal\.troks\.site$/i"; classtype:trojan-activity; sid:4220281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname reveal.troks.site"; flow:to_server,established; http.header; content: "Host|3a| reveal.troks.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])reveal\.troks\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220282; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname found.troks.site"; dns.query; content:"found.troks.site"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])found\.troks\.site$/i"; classtype:trojan-activity; sid:4220291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname found.troks.site"; flow:to_server,established; http.header; content: "Host|3a| found.troks.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])found\.troks\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220292; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.2.76.232 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.2.76.232"; classtype:trojan-activity; sid:4220301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain geoloc.top"; dns.query; content:"geoloc.top"; nocase; pcre: "/(^|[^A-Za-z0-9-])geoloc\.top$/i"; classtype:trojan-activity; sid:4220311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain geoloc.top"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"geoloc.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])geoloc\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220312; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.2.77.238 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.2.77.238"; classtype:trojan-activity; sid:4220321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain hldren.info"; dns.query; content:"hldren.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])hldren\.info$/i"; classtype:trojan-activity; sid:4220331; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain hldren.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hldren.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hldren\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220332; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname private.hldren.info"; dns.query; content:"private.hldren.info"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])private\.hldren\.info$/i"; classtype:trojan-activity; sid:4220341; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname private.hldren.info"; flow:to_server,established; http.header; content: "Host|3a| private.hldren.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])private\.hldren\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220342; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname straight.hldren.info"; dns.query; content:"straight.hldren.info"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])straight\.hldren\.info$/i"; classtype:trojan-activity; sid:4220351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname straight.hldren.info"; flow:to_server,established; http.header; content: "Host|3a| straight.hldren.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])straight\.hldren\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220352; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.2.78.64 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.2.78.64"; classtype:trojan-activity; sid:4220361; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname confluence.assbutt.xyz"; dns.query; content:"confluence.assbutt.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])confluence\.assbutt\.xyz$/i"; classtype:trojan-activity; sid:4220371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname confluence.assbutt.xyz"; flow:to_server,established; http.header; content: "Host|3a| confluence.assbutt.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])confluence\.assbutt\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220372; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname normal.aeryple.xyz"; dns.query; content:"normal.aeryple.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])normal\.aeryple\.xyz$/i"; classtype:trojan-activity; sid:4220381; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname normal.aeryple.xyz"; flow:to_server,established; http.header; content: "Host|3a| normal.aeryple.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])normal\.aeryple\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220382; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname lines.aeryple.xyz"; dns.query; content:"lines.aeryple.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])lines\.aeryple\.xyz$/i"; classtype:trojan-activity; sid:4220391; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname lines.aeryple.xyz"; flow:to_server,established; http.header; content: "Host|3a| lines.aeryple.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])lines\.aeryple\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220392; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.230.67.108 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.230.67.108"; classtype:trojan-activity; sid:4220401; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain srv-app.co"; dns.query; content:"srv-app.co"; nocase; pcre: "/(^|[^A-Za-z0-9-])srv\-app\.co$/i"; classtype:trojan-activity; sid:4220411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain srv-app.co"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"srv-app.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])srv\-app\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220412; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.230.67.170 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.230.67.170"; classtype:trojan-activity; sid:4220421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain mopiler.top"; dns.query; content:"mopiler.top"; nocase; pcre: "/(^|[^A-Za-z0-9-])mopiler\.top$/i"; classtype:trojan-activity; sid:4220431; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain mopiler.top"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mopiler.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mopiler\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220432; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.230.67.201 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.230.67.201"; classtype:trojan-activity; sid:4220441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname sk.krontec.info"; dns.query; content:"sk.krontec.info"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sk\.krontec\.info$/i"; classtype:trojan-activity; sid:4220451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname sk.krontec.info"; flow:to_server,established; http.header; content: "Host|3a| sk.krontec.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sk\.krontec\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220452; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.230.67.211 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.230.67.211"; classtype:trojan-activity; sid:4220461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain preag.info"; dns.query; content:"preag.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])preag\.info$/i"; classtype:trojan-activity; sid:4220471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain preag.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"preag.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])preag\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220472; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.230.67.243 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.230.67.243"; classtype:trojan-activity; sid:4220481; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain telemart-pk.com"; dns.query; content:"telemart-pk.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])telemart\-pk\.com$/i"; classtype:trojan-activity; sid:4220491; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain telemart-pk.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"telemart-pk.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])telemart\-pk\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220492; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.230.67.41 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.230.67.41"; classtype:trojan-activity; sid:4220501; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname service.true-islam.org"; dns.query; content:"service.true-islam.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])service\.true\-islam\.org$/i"; classtype:trojan-activity; sid:4220511; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname service.true-islam.org"; flow:to_server,established; http.header; content: "Host|3a| service.true-islam.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])service\.true\-islam\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220512; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname ftp.true-islam.org"; dns.query; content:"ftp.true-islam.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ftp\.true\-islam\.org$/i"; classtype:trojan-activity; sid:4220521; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname ftp.true-islam.org"; flow:to_server,established; http.header; content: "Host|3a| ftp.true-islam.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ftp\.true\-islam\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220522; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.230.68.124 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.230.68.124"; classtype:trojan-activity; sid:4220531; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname moon.tfrend.org"; dns.query; content:"moon.tfrend.org"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])moon\.tfrend\.org$/i"; classtype:trojan-activity; sid:4220541; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname moon.tfrend.org"; flow:to_server,established; http.header; content: "Host|3a| moon.tfrend.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])moon\.tfrend\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220542; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.230.68.190 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.230.68.190"; classtype:trojan-activity; sid:4220551; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain zolosy.top"; dns.query; content:"zolosy.top"; nocase; pcre: "/(^|[^A-Za-z0-9-])zolosy\.top$/i"; classtype:trojan-activity; sid:4220561; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain zolosy.top"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"zolosy.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])zolosy\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220562; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.230.69.136 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.230.69.136"; classtype:trojan-activity; sid:4220571; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname basic.gruh.site"; dns.query; content:"basic.gruh.site"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])basic\.gruh\.site$/i"; classtype:trojan-activity; sid:4220581; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname basic.gruh.site"; flow:to_server,established; http.header; content: "Host|3a| basic.gruh.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])basic\.gruh\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220582; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.230.69.72 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.230.69.72"; classtype:trojan-activity; sid:4220591; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname utilize.elopter.top"; dns.query; content:"utilize.elopter.top"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])utilize\.elopter\.top$/i"; classtype:trojan-activity; sid:4220601; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname utilize.elopter.top"; flow:to_server,established; http.header; content: "Host|3a| utilize.elopter.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])utilize\.elopter\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220602; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.230.71.10 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.230.71.10"; classtype:trojan-activity; sid:4220611; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname brave.agarg.tech"; dns.query; content:"brave.agarg.tech"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])brave\.agarg\.tech$/i"; classtype:trojan-activity; sid:4220621; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname brave.agarg.tech"; flow:to_server,established; http.header; content: "Host|3a| brave.agarg.tech"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])brave\.agarg\.tech[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220622; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname bless.agarg.tech"; dns.query; content:"bless.agarg.tech"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bless\.agarg\.tech$/i"; classtype:trojan-activity; sid:4220631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname bless.agarg.tech"; flow:to_server,established; http.header; content: "Host|3a| bless.agarg.tech"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])bless\.agarg\.tech[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220632; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname basis.agarg.tech"; dns.query; content:"basis.agarg.tech"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])basis\.agarg\.tech$/i"; classtype:trojan-activity; sid:4220641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname basis.agarg.tech"; flow:to_server,established; http.header; content: "Host|3a| basis.agarg.tech"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])basis\.agarg\.tech[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220642; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.230.72.173 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.230.72.173"; classtype:trojan-activity; sid:4220651; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain ntc-pk.org"; dns.query; content:"ntc-pk.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])ntc\-pk\.org$/i"; classtype:trojan-activity; sid:4220661; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain ntc-pk.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ntc-pk.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ntc\-pk\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220662; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname aa173.bank-ok.com"; dns.query; content:"aa173.bank-ok.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])aa173\.bank\-ok\.com$/i"; classtype:trojan-activity; sid:4220671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname aa173.bank-ok.com"; flow:to_server,established; http.header; content: "Host|3a| aa173.bank-ok.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])aa173\.bank\-ok\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220672; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.230.72.184 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.230.72.184"; classtype:trojan-activity; sid:4220681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain directt88.org"; dns.query; content:"directt88.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])directt88\.org$/i"; classtype:trojan-activity; sid:4220691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain directt88.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"directt88.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])directt88\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220692; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.230.72.213 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.230.72.213"; classtype:trojan-activity; sid:4220701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname www.tinlly.co"; dns.query; content:"www.tinlly.co"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.tinlly\.co$/i"; classtype:trojan-activity; sid:4220711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname www.tinlly.co"; flow:to_server,established; http.header; content: "Host|3a| www.tinlly.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.tinlly\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220712; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.230.72.27 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.230.72.27"; classtype:trojan-activity; sid:4220721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain file-download.co"; dns.query; content:"file-download.co"; nocase; pcre: "/(^|[^A-Za-z0-9-])file\-download\.co$/i"; classtype:trojan-activity; sid:4220731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain file-download.co"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"file-download.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])file\-download\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220732; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.230.72.63 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.230.72.63"; classtype:trojan-activity; sid:4220741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain dr-doom.xyz"; dns.query; content:"dr-doom.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])dr\-doom\.xyz$/i"; classtype:trojan-activity; sid:4220751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain dr-doom.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dr-doom.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dr\-doom\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220752; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.230.72.98 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.230.72.98"; classtype:trojan-activity; sid:4220761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain aliit.org"; dns.query; content:"aliit.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])aliit\.org$/i"; classtype:trojan-activity; sid:4220771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain aliit.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aliit.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aliit\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220772; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.230.73.106 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.230.73.106"; classtype:trojan-activity; sid:4220781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain bol-north.com"; dns.query; content:"bol-north.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bol\-north\.com$/i"; classtype:trojan-activity; sid:4220791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain bol-north.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bol-north.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bol\-north\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220792; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.230.73.180 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.230.73.180"; classtype:trojan-activity; sid:4220801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain daraz-pk.com"; dns.query; content:"daraz-pk.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])daraz\-pk\.com$/i"; classtype:trojan-activity; sid:4220811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain daraz-pk.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"daraz-pk.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])daraz\-pk\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220812; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.230.73.48 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.230.73.48"; classtype:trojan-activity; sid:4220821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain gruve.site"; dns.query; content:"gruve.site"; nocase; pcre: "/(^|[^A-Za-z0-9-])gruve\.site$/i"; classtype:trojan-activity; sid:4220831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain gruve.site"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gruve.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gruve\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220832; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname tab.gruve.site"; dns.query; content:"tab.gruve.site"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])tab\.gruve\.site$/i"; classtype:trojan-activity; sid:4220841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname tab.gruve.site"; flow:to_server,established; http.header; content: "Host|3a| tab.gruve.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])tab\.gruve\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220842; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.230.73.60 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.230.73.60"; classtype:trojan-activity; sid:4220851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain pastlet.live"; dns.query; content:"pastlet.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])pastlet\.live$/i"; classtype:trojan-activity; sid:4220861; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain pastlet.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pastlet.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pastlet\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220862; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.230.74.103 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.230.74.103"; classtype:trojan-activity; sid:4220871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname preat.fujit.info"; dns.query; content:"preat.fujit.info"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])preat\.fujit\.info$/i"; classtype:trojan-activity; sid:4220881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname preat.fujit.info"; flow:to_server,established; http.header; content: "Host|3a| preat.fujit.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])preat\.fujit\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220882; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.230.74.251 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.230.74.251"; classtype:trojan-activity; sid:4220891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname lucas.hertic.tech"; dns.query; content:"lucas.hertic.tech"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])lucas\.hertic\.tech$/i"; classtype:trojan-activity; sid:4220901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname lucas.hertic.tech"; flow:to_server,established; http.header; content: "Host|3a| lucas.hertic.tech"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])lucas\.hertic\.tech[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220902; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.230.74.66 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.230.74.66"; classtype:trojan-activity; sid:4220911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain pak-news.info"; dns.query; content:"pak-news.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])pak\-news\.info$/i"; classtype:trojan-activity; sid:4220921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain pak-news.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pak-news.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pak\-news\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220922; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.230.75.175 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.230.75.175"; classtype:trojan-activity; sid:4220931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain shrtny.co"; dns.query; content:"shrtny.co"; nocase; pcre: "/(^|[^A-Za-z0-9-])shrtny\.co$/i"; classtype:trojan-activity; sid:4220941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain shrtny.co"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"shrtny.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])shrtny\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220942; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.230.75.179 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.230.75.179"; classtype:trojan-activity; sid:4220951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain support-twitter.com"; dns.query; content:"support-twitter.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])support\-twitter\.com$/i"; classtype:trojan-activity; sid:4220961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain support-twitter.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"support-twitter.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])support\-twitter\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220962; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.230.75.40 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.230.75.40"; classtype:trojan-activity; sid:4220971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain verocal.info"; dns.query; content:"verocal.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])verocal\.info$/i"; classtype:trojan-activity; sid:4220981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain verocal.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"verocal.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])verocal\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4220982; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.255.100.119 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.255.100.119"; classtype:trojan-activity; sid:4220991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain pak-gov.info"; dns.query; content:"pak-gov.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])pak\-gov\.info$/i"; classtype:trojan-activity; sid:4221001; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain pak-gov.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pak-gov.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pak\-gov\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221002; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.255.100.134 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.255.100.134"; classtype:trojan-activity; sid:4221011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain ridlay.live"; dns.query; content:"ridlay.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])ridlay\.live$/i"; classtype:trojan-activity; sid:4221021; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain ridlay.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ridlay.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ridlay\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221022; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.255.103.59 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.255.103.59"; classtype:trojan-activity; sid:4221031; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname estate.ovil.tech"; dns.query; content:"estate.ovil.tech"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])estate\.ovil\.tech$/i"; classtype:trojan-activity; sid:4221041; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname estate.ovil.tech"; flow:to_server,established; http.header; content: "Host|3a| estate.ovil.tech"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])estate\.ovil\.tech[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221042; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.255.104.154 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.255.104.154"; classtype:trojan-activity; sid:4221051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain leyra.tech"; dns.query; content:"leyra.tech"; nocase; pcre: "/(^|[^A-Za-z0-9-])leyra\.tech$/i"; classtype:trojan-activity; sid:4221061; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain leyra.tech"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"leyra.tech"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])leyra\.tech[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221062; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.255.104.209 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.255.104.209"; classtype:trojan-activity; sid:4221071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname focus.semain.tech"; dns.query; content:"focus.semain.tech"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])focus\.semain\.tech$/i"; classtype:trojan-activity; sid:4221081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname focus.semain.tech"; flow:to_server,established; http.header; content: "Host|3a| focus.semain.tech"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])focus\.semain\.tech[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221082; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.255.104.34 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.255.104.34"; classtype:trojan-activity; sid:4221091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname zed.shrtny.live"; dns.query; content:"zed.shrtny.live"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])zed\.shrtny\.live$/i"; classtype:trojan-activity; sid:4221101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname zed.shrtny.live"; flow:to_server,established; http.header; content: "Host|3a| zed.shrtny.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])zed\.shrtny\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221102; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.255.105.65 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.255.105.65"; classtype:trojan-activity; sid:4221111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname rack.nelcec.info"; dns.query; content:"rack.nelcec.info"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])rack\.nelcec\.info$/i"; classtype:trojan-activity; sid:4221121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname rack.nelcec.info"; flow:to_server,established; http.header; content: "Host|3a| rack.nelcec.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])rack\.nelcec\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221122; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.255.105.73 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.255.105.73"; classtype:trojan-activity; sid:4221131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain sinacn.co"; dns.query; content:"sinacn.co"; nocase; pcre: "/(^|[^A-Za-z0-9-])sinacn\.co$/i"; classtype:trojan-activity; sid:4221141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain sinacn.co"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sinacn.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sinacn\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221142; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.255.106.249 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.255.106.249"; classtype:trojan-activity; sid:4221151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain dowmload.net"; dns.query; content:"dowmload.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])dowmload\.net$/i"; classtype:trojan-activity; sid:4221161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain dowmload.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dowmload.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dowmload\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221162; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.255.109.70 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.255.109.70"; classtype:trojan-activity; sid:4221171; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain pak-govt.net"; dns.query; content:"pak-govt.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])pak\-govt\.net$/i"; classtype:trojan-activity; sid:4221181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain pak-govt.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pak-govt.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pak\-govt\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221182; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.255.112.178 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.255.112.178"; classtype:trojan-activity; sid:4221191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain csdstore.app"; dns.query; content:"csdstore.app"; nocase; pcre: "/(^|[^A-Za-z0-9-])csdstore\.app$/i"; classtype:trojan-activity; sid:4221201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain csdstore.app"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"csdstore.app"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])csdstore\.app[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221202; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 5.255.98.158 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 5.255.98.158"; classtype:trojan-activity; sid:4221211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname climb.kalpo.xyz"; dns.query; content:"climb.kalpo.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])climb\.kalpo\.xyz$/i"; classtype:trojan-activity; sid:4221221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname climb.kalpo.xyz"; flow:to_server,established; http.header; content: "Host|3a| climb.kalpo.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])climb\.kalpo\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221222; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname ceiling.kalpo.xyz"; dns.query; content:"ceiling.kalpo.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ceiling\.kalpo\.xyz$/i"; classtype:trojan-activity; sid:4221231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname ceiling.kalpo.xyz"; flow:to_server,established; http.header; content: "Host|3a| ceiling.kalpo.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ceiling\.kalpo\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221232; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 64.44.167.150 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 64.44.167.150"; classtype:trojan-activity; sid:4221241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname axis.heplor.biz"; dns.query; content:"axis.heplor.biz"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])axis\.heplor\.biz$/i"; classtype:trojan-activity; sid:4221251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname axis.heplor.biz"; flow:to_server,established; http.header; content: "Host|3a| axis.heplor.biz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])axis\.heplor\.biz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221252; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 77.83.196.15 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 77.83.196.15"; classtype:trojan-activity; sid:4221261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain ausib-edu.org"; dns.query; content:"ausib-edu.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])ausib\-edu\.org$/i"; classtype:trojan-activity; sid:4221271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain ausib-edu.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ausib-edu.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ausib\-edu\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221272; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 77.83.196.47 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 77.83.196.47"; classtype:trojan-activity; sid:4221281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain dirctt88.org"; dns.query; content:"dirctt88.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])dirctt88\.org$/i"; classtype:trojan-activity; sid:4221291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain dirctt88.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dirctt88.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dirctt88\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221292; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 77.83.198.158 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 77.83.198.158"; classtype:trojan-activity; sid:4221301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 77.83.198.33 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 77.83.198.33"; classtype:trojan-activity; sid:4221311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname cert.repta.live"; dns.query; content:"cert.repta.live"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cert\.repta\.live$/i"; classtype:trojan-activity; sid:4221321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname cert.repta.live"; flow:to_server,established; http.header; content: "Host|3a| cert.repta.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cert\.repta\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221322; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 79.141.174.208 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 79.141.174.208"; classtype:trojan-activity; sid:4221331; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain bol-south.org"; dns.query; content:"bol-south.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])bol\-south\.org$/i"; classtype:trojan-activity; sid:4221341; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain bol-south.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bol-south.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bol\-south\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221342; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 83.171.236.239 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 83.171.236.239"; classtype:trojan-activity; sid:4221351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain zretw.xyz"; dns.query; content:"zretw.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])zretw\.xyz$/i"; classtype:trojan-activity; sid:4221361; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain zretw.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"zretw.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])zretw\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221362; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 89.248.171.166 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 89.248.171.166"; classtype:trojan-activity; sid:4221371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain blesico.site"; dns.query; content:"blesico.site"; nocase; pcre: "/(^|[^A-Za-z0-9-])blesico\.site$/i"; classtype:trojan-activity; sid:4221381; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain blesico.site"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"blesico.site"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])blesico\.site[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221382; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 91.193.18.176 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 91.193.18.176"; classtype:trojan-activity; sid:4221391; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain dolper.top"; dns.query; content:"dolper.top"; nocase; pcre: "/(^|[^A-Za-z0-9-])dolper\.top$/i"; classtype:trojan-activity; sid:4221401; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain dolper.top"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dolper.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dolper\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221402; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 91.199.209.153 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 91.199.209.153"; classtype:trojan-activity; sid:4221411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 91.245.253.73 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 91.245.253.73"; classtype:trojan-activity; sid:4221421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Hostname groove.olipy.info"; dns.query; content:"groove.olipy.info"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])groove\.olipy\.info$/i"; classtype:trojan-activity; sid:4221431; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Hostname groove.olipy.info"; flow:to_server,established; http.header; content: "Host|3a| groove.olipy.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])groove\.olipy\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221432; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 92.118.190.143 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 92.118.190.143"; classtype:trojan-activity; sid:4221441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain yrak.info"; dns.query; content:"yrak.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])yrak\.info$/i"; classtype:trojan-activity; sid:4221451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain yrak.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"yrak.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])yrak\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221452; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 95.217.232.110 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 95.217.232.110"; classtype:trojan-activity; sid:4221461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain hakimiya.live"; dns.query; content:"hakimiya.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])hakimiya\.live$/i"; classtype:trojan-activity; sid:4221471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain hakimiya.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hakimiya.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hakimiya\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221472; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 98.142.253.52 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 98.142.253.52"; classtype:trojan-activity; sid:4221481; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain tiinly.co"; dns.query; content:"tiinly.co"; nocase; pcre: "/(^|[^A-Za-z0-9-])tiinly\.co$/i"; classtype:trojan-activity; sid:4221491; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain tiinly.co"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tiinly.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tiinly\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221492; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 98.142.254.133 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 98.142.254.133"; classtype:trojan-activity; sid:4221501; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain glorec.tech"; dns.query; content:"glorec.tech"; nocase; pcre: "/(^|[^A-Za-z0-9-])glorec\.tech$/i"; classtype:trojan-activity; sid:4221511; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain glorec.tech"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"glorec.tech"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])glorec\.tech[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221512; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert ip $HOME_NET any -> 98.142.254.93 any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing To IP: 98.142.254.93"; classtype:trojan-activity; sid:4221521; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Domain article-viewer.com"; dns.query; content:"article-viewer.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])article\-viewer\.com$/i"; classtype:trojan-activity; sid:4221531; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e362 [misp-galaxy:malpedia="SideWinder",misp-galaxy:mitre-intrusion-set="Sidewinder - G0121",misp-galaxy:threat-actor="SideWinder",tlp:white] Outgoing HTTP Domain article-viewer.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"article-viewer.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])article\-viewer\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221532; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/362;) alert dns any any -> any any (msg: "MISP e363 [misp-galaxy:sector="Government, Administration",misp-galaxy:sector="IT",misp-galaxy:sector="NGO",misp-galaxy:sector="Police - Law enforcement",misp-galaxy:country="ukraine",misp-galaxy:malpedia="reGeorg",misp-galaxy:tool="reGeorg",misp-galaxy:mitre-tool="Impacket - S0357",tlp:white] Domain justiceua.org"; dns.query; content:"justiceua.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])justiceua\.org$/i"; classtype:trojan-activity; sid:4221581; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/363;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e363 [misp-galaxy:sector="Government, Administration",misp-galaxy:sector="IT",misp-galaxy:sector="NGO",misp-galaxy:sector="Police - Law enforcement",misp-galaxy:country="ukraine",misp-galaxy:malpedia="reGeorg",misp-galaxy:tool="reGeorg",misp-galaxy:mitre-tool="Impacket - S0357",tlp:white] Outgoing HTTP Domain justiceua.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"justiceua.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])justiceua\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221582; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/363;) alert ip $HOME_NET any -> 179.43.187.33 any (msg: "MISP e363 [misp-galaxy:sector="Government, Administration",misp-galaxy:sector="IT",misp-galaxy:sector="NGO",misp-galaxy:sector="Police - Law enforcement",misp-galaxy:country="ukraine",misp-galaxy:malpedia="reGeorg",misp-galaxy:tool="reGeorg",misp-galaxy:mitre-tool="Impacket - S0357",tlp:white] Outgoing To IP: 179.43.187.33"; classtype:trojan-activity; sid:4221591; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/363;) alert ip $HOME_NET any -> 185.161.208.234 any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing To IP: 185.161.208.234"; classtype:trojan-activity; sid:4221721; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert ip $HOME_NET any -> 139.180.185.24 any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing To IP: 139.180.185.24"; classtype:trojan-activity; sid:4221731; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert ip $HOME_NET any -> 199.247.30.230 any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing To IP: 199.247.30.230"; classtype:trojan-activity; sid:4221741; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert ip $HOME_NET any -> 149.28.239.146 any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing To IP: 149.28.239.146"; classtype:trojan-activity; sid:4221751; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert ip $HOME_NET any -> 209.250.234.77 any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing To IP: 209.250.234.77"; classtype:trojan-activity; sid:4221761; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert ip $HOME_NET any -> 70.34.220.100 any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing To IP: 70.34.220.100"; classtype:trojan-activity; sid:4221771; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname irc.socialfreedom.party"; dns.query; content:"irc.socialfreedom.party"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])irc\.socialfreedom\.party$/i"; classtype:trojan-activity; sid:4221781; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname irc.socialfreedom.party"; flow:to_server,established; http.header; content: "Host|3a| irc.socialfreedom.party"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])irc\.socialfreedom\.party[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221782; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname singapore.sg.socialfreedom.party"; dns.query; content:"singapore.sg.socialfreedom.party"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])singapore\.sg\.socialfreedom\.party$/i"; classtype:trojan-activity; sid:4221791; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname singapore.sg.socialfreedom.party"; flow:to_server,established; http.header; content: "Host|3a| singapore.sg.socialfreedom.party"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])singapore\.sg\.socialfreedom\.party[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221792; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname amsterdam.nl.socialfreedom.party"; dns.query; content:"amsterdam.nl.socialfreedom.party"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])amsterdam\.nl\.socialfreedom\.party$/i"; classtype:trojan-activity; sid:4221801; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname amsterdam.nl.socialfreedom.party"; flow:to_server,established; http.header; content: "Host|3a| amsterdam.nl.socialfreedom.party"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])amsterdam\.nl\.socialfreedom\.party[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221802; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname frankfurt.de.socialfreedom.party"; dns.query; content:"frankfurt.de.socialfreedom.party"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])frankfurt\.de\.socialfreedom\.party$/i"; classtype:trojan-activity; sid:4221811; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname frankfurt.de.socialfreedom.party"; flow:to_server,established; http.header; content: "Host|3a| frankfurt.de.socialfreedom.party"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])frankfurt\.de\.socialfreedom\.party[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221812; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname sidney.au.socialfreedom.party"; dns.query; content:"sidney.au.socialfreedom.party"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sidney\.au\.socialfreedom\.party$/i"; classtype:trojan-activity; sid:4221821; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname sidney.au.socialfreedom.party"; flow:to_server,established; http.header; content: "Host|3a| sidney.au.socialfreedom.party"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sidney\.au\.socialfreedom\.party[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221822; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname losangeles.us.socialfreedom.party"; dns.query; content:"losangeles.us.socialfreedom.party"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])losangeles\.us\.socialfreedom\.party$/i"; classtype:trojan-activity; sid:4221831; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname losangeles.us.socialfreedom.party"; flow:to_server,established; http.header; content: "Host|3a| losangeles.us.socialfreedom.party"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])losangeles\.us\.socialfreedom\.party[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221832; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Domain mumbaitravelers.org"; dns.query; content:"mumbaitravelers.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])mumbaitravelers\.org$/i"; classtype:trojan-activity; sid:4221841; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Domain mumbaitravelers.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mumbaitravelers.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mumbaitravelers\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221842; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname sh.madagent.tm"; dns.query; content:"sh.madagent.tm"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sh\.madagent\.tm$/i"; classtype:trojan-activity; sid:4221851; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname sh.madagent.tm"; flow:to_server,established; http.header; content: "Host|3a| sh.madagent.tm"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sh\.madagent\.tm[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221852; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname ssh.madagent.tm"; dns.query; content:"ssh.madagent.tm"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ssh\.madagent\.tm$/i"; classtype:trojan-activity; sid:4221861; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname ssh.madagent.tm"; flow:to_server,established; http.header; content: "Host|3a| ssh.madagent.tm"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ssh\.madagent\.tm[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221862; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname dumpx.madagent.tm"; dns.query; content:"dumpx.madagent.tm"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dumpx\.madagent\.tm$/i"; classtype:trojan-activity; sid:4221871; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname dumpx.madagent.tm"; flow:to_server,established; http.header; content: "Host|3a| dumpx.madagent.tm"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dumpx\.madagent\.tm[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221872; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname reg.madagent.tm"; dns.query; content:"reg.madagent.tm"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])reg\.madagent\.tm$/i"; classtype:trojan-activity; sid:4221881; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname reg.madagent.tm"; flow:to_server,established; http.header; content: "Host|3a| reg.madagent.tm"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])reg\.madagent\.tm[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221882; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname sshm.madagent.tm"; dns.query; content:"sshm.madagent.tm"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sshm\.madagent\.tm$/i"; classtype:trojan-activity; sid:4221891; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname sshm.madagent.tm"; flow:to_server,established; http.header; content: "Host|3a| sshm.madagent.tm"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sshm\.madagent\.tm[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221892; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname z.madagent.tm"; dns.query; content:"z.madagent.tm"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])z\.madagent\.tm$/i"; classtype:trojan-activity; sid:4221901; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname z.madagent.tm"; flow:to_server,established; http.header; content: "Host|3a| z.madagent.tm"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])z\.madagent\.tm[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221902; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname ssho.madagent.tm"; dns.query; content:"ssho.madagent.tm"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ssho\.madagent\.tm$/i"; classtype:trojan-activity; sid:4221911; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname ssho.madagent.tm"; flow:to_server,established; http.header; content: "Host|3a| ssho.madagent.tm"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ssho\.madagent\.tm[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221912; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname sshr.madagent.tm"; dns.query; content:"sshr.madagent.tm"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sshr\.madagent\.tm$/i"; classtype:trojan-activity; sid:4221921; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname sshr.madagent.tm"; flow:to_server,established; http.header; content: "Host|3a| sshr.madagent.tm"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sshr\.madagent\.tm[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221922; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname sshu.madagent.tm"; dns.query; content:"sshu.madagent.tm"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sshu\.madagent\.tm$/i"; classtype:trojan-activity; sid:4221931; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname sshu.madagent.tm"; flow:to_server,established; http.header; content: "Host|3a| sshu.madagent.tm"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sshu\.madagent\.tm[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221932; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname user.madagent.tm"; dns.query; content:"user.madagent.tm"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])user\.madagent\.tm$/i"; classtype:trojan-activity; sid:4221941; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname user.madagent.tm"; flow:to_server,established; http.header; content: "Host|3a| user.madagent.tm"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])user\.madagent\.tm[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221942; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Domain madagent.cc"; dns.query; content:"madagent.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-])madagent\.cc$/i"; classtype:trojan-activity; sid:4221951; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Domain madagent.cc"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"madagent.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])madagent\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221952; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname cler.madagent.cc"; dns.query; content:"cler.madagent.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cler\.madagent\.cc$/i"; classtype:trojan-activity; sid:4221961; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname cler.madagent.cc"; flow:to_server,established; http.header; content: "Host|3a| cler.madagent.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cler\.madagent\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221962; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname dumpx.madagent.cc"; dns.query; content:"dumpx.madagent.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dumpx\.madagent\.cc$/i"; classtype:trojan-activity; sid:4221971; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname dumpx.madagent.cc"; flow:to_server,established; http.header; content: "Host|3a| dumpx.madagent.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dumpx\.madagent\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221972; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname mh.madagent.cc"; dns.query; content:"mh.madagent.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mh\.madagent\.cc$/i"; classtype:trojan-activity; sid:4221981; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname mh.madagent.cc"; flow:to_server,established; http.header; content: "Host|3a| mh.madagent.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])mh\.madagent\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221982; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname ns1.madagent.cc"; dns.query; content:"ns1.madagent.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ns1\.madagent\.cc$/i"; classtype:trojan-activity; sid:4221991; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname ns1.madagent.cc"; flow:to_server,established; http.header; content: "Host|3a| ns1.madagent.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ns1\.madagent\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4221992; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname ns2.madagent.cc"; dns.query; content:"ns2.madagent.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ns2\.madagent\.cc$/i"; classtype:trojan-activity; sid:4222001; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname ns2.madagent.cc"; flow:to_server,established; http.header; content: "Host|3a| ns2.madagent.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ns2\.madagent\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4222002; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname ns3.madagent.cc"; dns.query; content:"ns3.madagent.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ns3\.madagent\.cc$/i"; classtype:trojan-activity; sid:4222011; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname ns3.madagent.cc"; flow:to_server,established; http.header; content: "Host|3a| ns3.madagent.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ns3\.madagent\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4222012; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname ns4.madagent.cc"; dns.query; content:"ns4.madagent.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ns4\.madagent\.cc$/i"; classtype:trojan-activity; sid:4222021; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname ns4.madagent.cc"; flow:to_server,established; http.header; content: "Host|3a| ns4.madagent.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ns4\.madagent\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4222022; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname reg.madagent.cc"; dns.query; content:"reg.madagent.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])reg\.madagent\.cc$/i"; classtype:trojan-activity; sid:4222031; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname reg.madagent.cc"; flow:to_server,established; http.header; content: "Host|3a| reg.madagent.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])reg\.madagent\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4222032; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname ssh.madagent.cc"; dns.query; content:"ssh.madagent.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ssh\.madagent\.cc$/i"; classtype:trojan-activity; sid:4222041; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname ssh.madagent.cc"; flow:to_server,established; http.header; content: "Host|3a| ssh.madagent.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ssh\.madagent\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4222042; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname sshm.madagent.cc"; dns.query; content:"sshm.madagent.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sshm\.madagent\.cc$/i"; classtype:trojan-activity; sid:4222051; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname sshm.madagent.cc"; flow:to_server,established; http.header; content: "Host|3a| sshm.madagent.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sshm\.madagent\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4222052; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname ssho.madagent.cc"; dns.query; content:"ssho.madagent.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ssho\.madagent\.cc$/i"; classtype:trojan-activity; sid:4222061; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname ssho.madagent.cc"; flow:to_server,established; http.header; content: "Host|3a| ssho.madagent.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ssho\.madagent\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4222062; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname sshr.madagent.cc"; dns.query; content:"sshr.madagent.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sshr\.madagent\.cc$/i"; classtype:trojan-activity; sid:4222071; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname sshr.madagent.cc"; flow:to_server,established; http.header; content: "Host|3a| sshr.madagent.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sshr\.madagent\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4222072; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname sshu.madagent.cc"; dns.query; content:"sshu.madagent.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sshu\.madagent\.cc$/i"; classtype:trojan-activity; sid:4222081; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname sshu.madagent.cc"; flow:to_server,established; http.header; content: "Host|3a| sshu.madagent.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sshu\.madagent\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4222082; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname user.madagent.cc"; dns.query; content:"user.madagent.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])user\.madagent\.cc$/i"; classtype:trojan-activity; sid:4222091; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname user.madagent.cc"; flow:to_server,established; http.header; content: "Host|3a| user.madagent.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])user\.madagent\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4222092; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname www.madagent.cc"; dns.query; content:"www.madagent.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.madagent\.cc$/i"; classtype:trojan-activity; sid:4222101; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname www.madagent.cc"; flow:to_server,established; http.header; content: "Host|3a| www.madagent.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.madagent\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4222102; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname rsh.sys-stat.download"; dns.query; content:"rsh.sys-stat.download"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])rsh\.sys\-stat\.download$/i"; classtype:trojan-activity; sid:4222111; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname rsh.sys-stat.download"; flow:to_server,established; http.header; content: "Host|3a| rsh.sys-stat.download"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])rsh\.sys\-stat\.download[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4222112; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname sh.sys-stat.download"; dns.query; content:"sh.sys-stat.download"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sh\.sys\-stat\.download$/i"; classtype:trojan-activity; sid:4222121; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname sh.sys-stat.download"; flow:to_server,established; http.header; content: "Host|3a| sh.sys-stat.download"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sh\.sys\-stat\.download[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4222122; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname sh.rawdot.net"; dns.query; content:"sh.rawdot.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sh\.rawdot\.net$/i"; classtype:trojan-activity; sid:4222131; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname sh.rawdot.net"; flow:to_server,established; http.header; content: "Host|3a| sh.rawdot.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sh\.rawdot\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4222132; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname ssho.rawdot.net"; dns.query; content:"ssho.rawdot.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ssho\.rawdot\.net$/i"; classtype:trojan-activity; sid:4222141; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname ssho.rawdot.net"; flow:to_server,established; http.header; content: "Host|3a| ssho.rawdot.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ssho\.rawdot\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4222142; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname donate.xmr.rawdot.net"; dns.query; content:"donate.xmr.rawdot.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])donate\.xmr\.rawdot\.net$/i"; classtype:trojan-activity; sid:4222151; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname donate.xmr.rawdot.net"; flow:to_server,established; http.header; content: "Host|3a| donate.xmr.rawdot.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])donate\.xmr\.rawdot\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4222152; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname pool.rawdot.net"; dns.query; content:"pool.rawdot.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])pool\.rawdot\.net$/i"; classtype:trojan-activity; sid:4222161; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname pool.rawdot.net"; flow:to_server,established; http.header; content: "Host|3a| pool.rawdot.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])pool\.rawdot\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4222162; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname 2018.rawdot.net"; dns.query; content:"2018.rawdot.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])2018\.rawdot\.net$/i"; classtype:trojan-activity; sid:4222171; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname 2018.rawdot.net"; flow:to_server,established; http.header; content: "Host|3a| 2018.rawdot.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])2018\.rawdot\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4222172; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname blog.rawdot.net"; dns.query; content:"blog.rawdot.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])blog\.rawdot\.net$/i"; classtype:trojan-activity; sid:4222181; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname blog.rawdot.net"; flow:to_server,established; http.header; content: "Host|3a| blog.rawdot.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])blog\.rawdot\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4222182; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname clients.rawdot.net"; dns.query; content:"clients.rawdot.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])clients\.rawdot\.net$/i"; classtype:trojan-activity; sid:4222191; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname clients.rawdot.net"; flow:to_server,established; http.header; content: "Host|3a| clients.rawdot.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])clients\.rawdot\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4222192; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname ftp.rawdot.net"; dns.query; content:"ftp.rawdot.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ftp\.rawdot\.net$/i"; classtype:trojan-activity; sid:4222201; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname ftp.rawdot.net"; flow:to_server,established; http.header; content: "Host|3a| ftp.rawdot.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ftp\.rawdot\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4222202; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname psql01.rawdot.net"; dns.query; content:"psql01.rawdot.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])psql01\.rawdot\.net$/i"; classtype:trojan-activity; sid:4222211; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname psql01.rawdot.net"; flow:to_server,established; http.header; content: "Host|3a| psql01.rawdot.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])psql01\.rawdot\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4222212; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname www.rawdot.net"; dns.query; content:"www.rawdot.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.rawdot\.net$/i"; classtype:trojan-activity; sid:4222221; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname www.rawdot.net"; flow:to_server,established; http.header; content: "Host|3a| www.rawdot.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.rawdot\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4222222; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname sh.|30 78|badc0de.stream"; dns.query; content:"sh.|30 78|badc0de.stream"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sh\.\|30 78\|badc0de\.stream$/i"; classtype:trojan-activity; sid:4222231; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname sh.|30 78|badc0de.stream"; flow:to_server,established; http.header; content: "Host|3a| sh.|30 78|badc0de.stream"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sh\.\|30 78\|badc0de\.stream[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4222232; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert dns any any -> any any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Hostname ss.|30 78|badc0de.stream"; dns.query; content:"ss.|30 78|badc0de.stream"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ss\.\|30 78\|badc0de\.stream$/i"; classtype:trojan-activity; sid:4222241; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Outgoing HTTP Hostname ss.|30 78|badc0de.stream"; flow:to_server,established; http.header; content: "Host|3a| ss.|30 78|badc0de.stream"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ss\.\|30 78\|badc0de\.stream[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4222242; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Source Email Address: asterzeu@yahoo.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"asterzeu@yahoo.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4222251; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e364 [misp-galaxy:malpedia="reptile",tlp:white] Source Email Address: dotsysadmin@protonmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"dotsysadmin@protonmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4222261; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/364;) alert ip $HOME_NET any -> 5.90.58.69 any (msg: "MISP e365 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1193"] Outgoing To IP: 5.90.58.69"; classtype:trojan-activity; sid:4223081; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/365;) alert ip $HOME_NET any -> 62.233.57.136 any (msg: "MISP e365 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1193"] Outgoing To IP: 62.233.57.136"; classtype:trojan-activity; sid:4223091; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/365;) alert ip $HOME_NET any -> 217.12.207.164 any (msg: "MISP e365 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1193"] Outgoing To IP: 217.12.207.164"; classtype:trojan-activity; sid:4223101; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/365;) alert ip $HOME_NET any -> 152.152.12.12 any (msg: "MISP e365 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1193"] Outgoing To IP: 152.152.12.12"; classtype:trojan-activity; sid:4223111; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/365;) alert dns any any -> any any (msg: "MISP e365 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1193"] Domain jcswcd.com"; dns.query; content:"jcswcd.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])jcswcd\.com$/i"; classtype:trojan-activity; sid:4223121; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/365;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e365 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1193"] Outgoing HTTP Domain jcswcd.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jcswcd.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jcswcd\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4223122; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/365;) alert dns any any -> any any (msg: "MISP e365 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1193"] Domain newsmailnet.com"; dns.query; content:"newsmailnet.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])newsmailnet\.com$/i"; classtype:trojan-activity; sid:4223131; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/365;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e365 [misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129",misp-galaxy:mitre-malware="PlugX - S0013",tlp:white,misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1193"] Outgoing HTTP Domain newsmailnet.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"newsmailnet.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])newsmailnet\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4223132; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/365;) alert dns any any -> any any (msg: "MISP e366 [misp-galaxy:mitre-intrusion-set="Charming Kitten - G0058",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1193",tlp:white] Hostname openlibrary.ignorelist.com"; dns.query; content:"openlibrary.ignorelist.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])openlibrary\.ignorelist\.com$/i"; classtype:trojan-activity; sid:4223351; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/366;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e366 [misp-galaxy:mitre-intrusion-set="Charming Kitten - G0058",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1193",tlp:white] Outgoing HTTP Hostname openlibrary.ignorelist.com"; flow:to_server,established; http.header; content: "Host|3a| openlibrary.ignorelist.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])openlibrary\.ignorelist\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4223352; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/366;) alert dns any any -> any any (msg: "MISP e366 [misp-galaxy:mitre-intrusion-set="Charming Kitten - G0058",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1193",tlp:white] Hostname fuschia-rhinestone.cleverapps.io"; dns.query; content:"fuschia-rhinestone.cleverapps.io"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])fuschia\-rhinestone\.cleverapps\.io$/i"; classtype:trojan-activity; sid:4223391; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/366;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e366 [misp-galaxy:mitre-intrusion-set="Charming Kitten - G0058",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1193",tlp:white] Outgoing HTTP Hostname fuschia-rhinestone.cleverapps.io"; flow:to_server,established; http.header; content: "Host|3a| fuschia-rhinestone.cleverapps.io"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])fuschia\-rhinestone\.cleverapps\.io[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4223392; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/366;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e366 [misp-galaxy:mitre-intrusion-set="Charming Kitten - G0058",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1193",tlp:white] Outgoing URL http|3a|//bluebox10546.s3.us-west-004.backblazeb2.com/sa/88W3X81EN/cettj34c.txt"; flow:to_server,established; http.header; content:"bluebox10546.s3.us-west-004.backblazeb2.com"; fast_pattern; nocase; http.uri; content:"/sa/88W3X81EN/cettj34c.txt"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4223401; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/366;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e366 [misp-galaxy:mitre-intrusion-set="Charming Kitten - G0058",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1193",tlp:white] Outgoing URL https|3a|//s3.us-west-004.backblazeb2.com/bluebox10546/k41we/k24510.txt"; tls.sni; content:"s3.us-west-004.backblazeb2.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4223411; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/366;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e366 [misp-galaxy:mitre-intrusion-set="Charming Kitten - G0058",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1193",tlp:white] Outgoing URL https|3a|//bluebox10546.s3.us-west-004.backblazeb2.com/share/Us-China.pdf"; tls.sni; content:"bluebox10546.s3.us-west-004.backblazeb2.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4223421; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/366;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e366 [misp-galaxy:mitre-intrusion-set="Charming Kitten - G0058",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1193",tlp:white] Outgoing URL https|3a|//bluebox10546.s3.us-west-004.backblazeb2.com/k41we/btw74c.txt"; tls.sni; content:"bluebox10546.s3.us-west-004.backblazeb2.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4223431; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/366;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e366 [misp-galaxy:mitre-intrusion-set="Charming Kitten - G0058",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1193",tlp:white] Outgoing URL https|3a|//s3.us-west-004.backblazeb2.com/bluebox10546/k41we/bts74e.txt"; tls.sni; content:"s3.us-west-004.backblazeb2.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4223441; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/366;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e366 [misp-galaxy:mitre-intrusion-set="Charming Kitten - G0058",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1193",tlp:white] Outgoing URL https|3a|//personalstorage1687.s3.us-west-004.backblazeb2.com"; tls.sni; content:"personalstorage1687.s3.us-west-004.backblazeb2.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4223451; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/366;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain 4qzm.com"; dns.query; content:"4qzm.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])4qzm\.com$/i"; classtype:trojan-activity; sid:4224741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain 4qzm.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"4qzm.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])4qzm\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4224742; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain combinedresidency.org"; dns.query; content:"combinedresidency.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])combinedresidency\.org$/i"; classtype:trojan-activity; sid:4224751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain combinedresidency.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"combinedresidency.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])combinedresidency\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4224752; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain dgtlocean.com"; dns.query; content:"dgtlocean.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])dgtlocean\.com$/i"; classtype:trojan-activity; sid:4224761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain dgtlocean.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dgtlocean.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dgtlocean\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4224762; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain gangstergo.com"; dns.query; content:"gangstergo.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])gangstergo\.com$/i"; classtype:trojan-activity; sid:4224771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain gangstergo.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gangstergo.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gangstergo\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4224772; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain hexactor.com"; dns.query; content:"hexactor.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])hexactor\.com$/i"; classtype:trojan-activity; sid:4224781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain hexactor.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hexactor.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hexactor\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4224782; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain hl-analytics.net"; dns.query; content:"hl-analytics.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])hl\-analytics\.net$/i"; classtype:trojan-activity; sid:4224791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain hl-analytics.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hl-analytics.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hl\-analytics\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4224792; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain kagomadb.com"; dns.query; content:"kagomadb.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])kagomadb\.com$/i"; classtype:trojan-activity; sid:4224801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain kagomadb.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kagomadb.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kagomadb\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4224802; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain notfiled.com"; dns.query; content:"notfiled.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])notfiled\.com$/i"; classtype:trojan-activity; sid:4224811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain notfiled.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"notfiled.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])notfiled\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4224812; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain optasko.com"; dns.query; content:"optasko.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])optasko\.com$/i"; classtype:trojan-activity; sid:4224821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain optasko.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"optasko.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])optasko\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4224822; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain rdpcamp.com"; dns.query; content:"rdpcamp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])rdpcamp\.com$/i"; classtype:trojan-activity; sid:4224831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain rdpcamp.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"rdpcamp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])rdpcamp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4224832; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain singlesign.online"; dns.query; content:"singlesign.online"; nocase; pcre: "/(^|[^A-Za-z0-9-])singlesign\.online$/i"; classtype:trojan-activity; sid:4224841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain singlesign.online"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"singlesign.online"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])singlesign\.online[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4224842; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain sparklingprice.com"; dns.query; content:"sparklingprice.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sparklingprice\.com$/i"; classtype:trojan-activity; sid:4224851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain sparklingprice.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sparklingprice.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sparklingprice\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4224852; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain startleague.net"; dns.query; content:"startleague.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])startleague\.net$/i"; classtype:trojan-activity; sid:4224861; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain startleague.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"startleague.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])startleague\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4224862; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain wexonlake.com"; dns.query; content:"wexonlake.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])wexonlake\.com$/i"; classtype:trojan-activity; sid:4224871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain wexonlake.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wexonlake.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wexonlake\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4224872; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain you-supported.com"; dns.query; content:"you-supported.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])you\-supported\.com$/i"; classtype:trojan-activity; sid:4224881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain you-supported.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"you-supported.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])you\-supported\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4224882; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain advanced-ip-scaner.com"; dns.query; content:"advanced-ip-scaner.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])advanced\-ip\-scaner\.com$/i"; classtype:trojan-activity; sid:4224891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain advanced-ip-scaner.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"advanced-ip-scaner.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])advanced\-ip\-scaner\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4224892; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain advanced-ip-scanners.com"; dns.query; content:"advanced-ip-scanners.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])advanced\-ip\-scanners\.com$/i"; classtype:trojan-activity; sid:4224901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain advanced-ip-scanners.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"advanced-ip-scanners.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])advanced\-ip\-scanners\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4224902; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain astrachat.us"; dns.query; content:"astrachat.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])astrachat\.us$/i"; classtype:trojan-activity; sid:4224911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain astrachat.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"astrachat.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])astrachat\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4224912; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain astrachats.com"; dns.query; content:"astrachats.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])astrachats\.com$/i"; classtype:trojan-activity; sid:4224921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain astrachats.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"astrachats.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])astrachats\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4224922; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain chatgpt4beta.com"; dns.query; content:"chatgpt4beta.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])chatgpt4beta\.com$/i"; classtype:trojan-activity; sid:4224931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain chatgpt4beta.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"chatgpt4beta.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])chatgpt4beta\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4224932; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain cnealsoftware.com"; dns.query; content:"cnealsoftware.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])cnealsoftware\.com$/i"; classtype:trojan-activity; sid:4224941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain cnealsoftware.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cnealsoftware.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cnealsoftware\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4224942; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain convertmypdfnow.net"; dns.query; content:"convertmypdfnow.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])convertmypdfnow\.net$/i"; classtype:trojan-activity; sid:4224951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain convertmypdfnow.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"convertmypdfnow.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])convertmypdfnow\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4224952; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain cozy-sofware.com"; dns.query; content:"cozy-sofware.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])cozy\-sofware\.com$/i"; classtype:trojan-activity; sid:4224961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain cozy-sofware.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cozy-sofware.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cozy\-sofware\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4224962; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain decropingsof.com"; dns.query; content:"decropingsof.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])decropingsof\.com$/i"; classtype:trojan-activity; sid:4224971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain decropingsof.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"decropingsof.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])decropingsof\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4224972; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain decropsoftware.com"; dns.query; content:"decropsoftware.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])decropsoftware\.com$/i"; classtype:trojan-activity; sid:4224981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain decropsoftware.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"decropsoftware.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])decropsoftware\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4224982; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain devolrdm.com"; dns.query; content:"devolrdm.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])devolrdm\.com$/i"; classtype:trojan-activity; sid:4224991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain devolrdm.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"devolrdm.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])devolrdm\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4224992; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain devolutionrdp.com"; dns.query; content:"devolutionrdp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])devolutionrdp\.com$/i"; classtype:trojan-activity; sid:4225001; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain devolutionrdp.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"devolutionrdp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])devolutionrdp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225002; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain dirwinstat.com"; dns.query; content:"dirwinstat.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])dirwinstat\.com$/i"; classtype:trojan-activity; sid:4225011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain dirwinstat.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dirwinstat.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dirwinstat\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225012; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain gllmp.com"; dns.query; content:"gllmp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])gllmp\.com$/i"; classtype:trojan-activity; sid:4225021; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain gllmp.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gllmp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gllmp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225022; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain gotomeet.us"; dns.query; content:"gotomeet.us"; nocase; pcre: "/(^|[^A-Za-z0-9-])gotomeet\.us$/i"; classtype:trojan-activity; sid:4225031; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain gotomeet.us"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gotomeet.us"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gotomeet\.us[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225032; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain icarusoftwares.com"; dns.query; content:"icarusoftwares.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])icarusoftwares\.com$/i"; classtype:trojan-activity; sid:4225041; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain icarusoftwares.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"icarusoftwares.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])icarusoftwares\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225042; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain kee-pass.com"; dns.query; content:"kee-pass.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])kee\-pass\.com$/i"; classtype:trojan-activity; sid:4225051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain kee-pass.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kee-pass.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kee\-pass\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225052; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain keepas.org"; dns.query; content:"keepas.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])keepas\.org$/i"; classtype:trojan-activity; sid:4225061; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain keepas.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"keepas.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])keepas\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225062; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain keepasss.info"; dns.query; content:"keepasss.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])keepasss\.info$/i"; classtype:trojan-activity; sid:4225071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain keepasss.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"keepasss.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])keepasss\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225072; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain lnfo-messengers.com"; dns.query; content:"lnfo-messengers.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])lnfo\-messengers\.com$/i"; classtype:trojan-activity; sid:4225081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain lnfo-messengers.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lnfo-messengers.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lnfo\-messengers\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225082; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain mansoftwarecoz.com"; dns.query; content:"mansoftwarecoz.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mansoftwarecoz\.com$/i"; classtype:trojan-activity; sid:4225091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain mansoftwarecoz.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mansoftwarecoz.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mansoftwarecoz\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225092; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain mypodsblocked.com"; dns.query; content:"mypodsblocked.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mypodsblocked\.com$/i"; classtype:trojan-activity; sid:4225101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain mypodsblocked.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mypodsblocked.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mypodsblocked\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225102; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain nerobiom.com"; dns.query; content:"nerobiom.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])nerobiom\.com$/i"; classtype:trojan-activity; sid:4225111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain nerobiom.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nerobiom.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nerobiom\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225112; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain nexiandevel.com"; dns.query; content:"nexiandevel.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])nexiandevel\.com$/i"; classtype:trojan-activity; sid:4225121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain nexiandevel.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nexiandevel.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nexiandevel\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225122; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain npm-solar.com"; dns.query; content:"npm-solar.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])npm\-solar\.com$/i"; classtype:trojan-activity; sid:4225131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain npm-solar.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"npm-solar.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])npm\-solar\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225132; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain pass-shield.com"; dns.query; content:"pass-shield.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pass\-shield\.com$/i"; classtype:trojan-activity; sid:4225141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain pass-shield.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pass-shield.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pass\-shield\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225142; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain pdf-filer.com"; dns.query; content:"pdf-filer.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pdf\-filer\.com$/i"; classtype:trojan-activity; sid:4225151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain pdf-filer.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pdf-filer.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pdf\-filer\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225152; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain pdffiller-review.com"; dns.query; content:"pdffiller-review.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pdffiller\-review\.com$/i"; classtype:trojan-activity; sid:4225161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain pdffiller-review.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pdffiller-review.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pdffiller\-review\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225162; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain pdffreader.com"; dns.query; content:"pdffreader.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pdffreader\.com$/i"; classtype:trojan-activity; sid:4225171; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain pdffreader.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pdffreader.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pdffreader\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225172; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain pdfilier.com"; dns.query; content:"pdfilier.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pdfilier\.com$/i"; classtype:trojan-activity; sid:4225181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain pdfilier.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pdfilier.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pdfilier\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225182; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain pdfillers.com"; dns.query; content:"pdfillers.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pdfillers\.com$/i"; classtype:trojan-activity; sid:4225191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain pdfillers.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pdfillers.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pdfillers\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225192; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain putmastering.com"; dns.query; content:"putmastering.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])putmastering\.com$/i"; classtype:trojan-activity; sid:4225201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain putmastering.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"putmastering.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])putmastering\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225202; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain rdp-devolutions.com"; dns.query; content:"rdp-devolutions.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])rdp\-devolutions\.com$/i"; classtype:trojan-activity; sid:4225211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain rdp-devolutions.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"rdp-devolutions.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])rdp\-devolutions\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225212; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain readerpdf.net"; dns.query; content:"readerpdf.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])readerpdf\.net$/i"; classtype:trojan-activity; sid:4225221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain readerpdf.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"readerpdf.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])readerpdf\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225222; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain remsoftman.com"; dns.query; content:"remsoftman.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])remsoftman\.com$/i"; classtype:trojan-activity; sid:4225231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain remsoftman.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"remsoftman.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])remsoftman\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225232; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain singularlabs.org"; dns.query; content:"singularlabs.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])singularlabs\.org$/i"; classtype:trojan-activity; sid:4225241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain singularlabs.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"singularlabs.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])singularlabs\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225242; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain veeame.com"; dns.query; content:"veeame.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])veeame\.com$/i"; classtype:trojan-activity; sid:4225251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain veeame.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"veeame.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])veeame\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225252; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain vectordmanagesoft.com"; dns.query; content:"vectordmanagesoft.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])vectordmanagesoft\.com$/i"; classtype:trojan-activity; sid:4225261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain vectordmanagesoft.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vectordmanagesoft.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vectordmanagesoft\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225262; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain winscpn.com"; dns.query; content:"winscpn.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])winscpn\.com$/i"; classtype:trojan-activity; sid:4225271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain winscpn.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"winscpn.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])winscpn\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225272; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain wormakejean.com"; dns.query; content:"wormakejean.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])wormakejean\.com$/i"; classtype:trojan-activity; sid:4225281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain wormakejean.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wormakejean.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wormakejean\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225282; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert dns any any -> any any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Domain wveeam.com"; dns.query; content:"wveeam.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])wveeam\.com$/i"; classtype:trojan-activity; sid:4225291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing HTTP Domain wveeam.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wveeam.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wveeam\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225292; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert ip $HOME_NET any -> 94.142.138.244 any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing To IP: 94.142.138.244"; classtype:trojan-activity; sid:4225301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert ip $HOME_NET any -> 51.195.49.215 any (msg: "MISP e367 [misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583",misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015",misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Screen Capture - T1113",misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",tlp:white] Outgoing To IP: 51.195.49.215"; classtype:trojan-activity; sid:4225311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/367;) alert ip $HOME_NET any -> 51.89.156.153 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 51.89.156.153"; classtype:trojan-activity; sid:4225391; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 176.31.90.129 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 176.31.90.129"; classtype:trojan-activity; sid:4225401; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 137.74.181.100 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 137.74.181.100"; classtype:trojan-activity; sid:4225411; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 193.36.119.45 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 193.36.119.45"; classtype:trojan-activity; sid:4225421; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 185.158.248.159 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 185.158.248.159"; classtype:trojan-activity; sid:4225431; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 131.153.78.188 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 131.153.78.188"; classtype:trojan-activity; sid:4225441; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 37.143.130.146 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 37.143.130.146"; classtype:trojan-activity; sid:4225451; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 146.70.157.45 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 146.70.157.45"; classtype:trojan-activity; sid:4225461; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 185.195.200.39 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 185.195.200.39"; classtype:trojan-activity; sid:4225471; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 185.38.142.229 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 185.38.142.229"; classtype:trojan-activity; sid:4225481; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 146.70.121.44 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 146.70.121.44"; classtype:trojan-activity; sid:4225491; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 31.42.177.181 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 31.42.177.181"; classtype:trojan-activity; sid:4225501; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 185.51.134.52 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 185.51.134.52"; classtype:trojan-activity; sid:4225511; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 173.44.226.70 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 173.44.226.70"; classtype:trojan-activity; sid:4225521; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 45.14.227.233 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 45.14.227.233"; classtype:trojan-activity; sid:4225531; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 185.236.231.109 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 185.236.231.109"; classtype:trojan-activity; sid:4225541; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 178.73.220.149 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 178.73.220.149"; classtype:trojan-activity; sid:4225551; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 45.14.227.212 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 45.14.227.212"; classtype:trojan-activity; sid:4225561; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 91.222.173.225 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 91.222.173.225"; classtype:trojan-activity; sid:4225571; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 146.70.35.168 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 146.70.35.168"; classtype:trojan-activity; sid:4225581; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 146.70.157.213 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 146.70.157.213"; classtype:trojan-activity; sid:4225591; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 31.42.177.201 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 31.42.177.201"; classtype:trojan-activity; sid:4225601; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 5.252.176.8 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 5.252.176.8"; classtype:trojan-activity; sid:4225611; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 80.85.158.215 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 80.85.158.215"; classtype:trojan-activity; sid:4225621; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 193.149.129.88 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 193.149.129.88"; classtype:trojan-activity; sid:4225631; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 5.252.178.68 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 5.252.178.68"; classtype:trojan-activity; sid:4225641; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 116.202.251.8 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 116.202.251.8"; classtype:trojan-activity; sid:4225651; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 185.158.248.93 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 185.158.248.93"; classtype:trojan-activity; sid:4225661; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 20.108.240.252 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 20.108.240.252"; classtype:trojan-activity; sid:4225671; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 146.70.135.182 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 146.70.135.182"; classtype:trojan-activity; sid:4225681; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 195.26.87.219 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 195.26.87.219"; classtype:trojan-activity; sid:4225691; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 185.236.228.183 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 185.236.228.183"; classtype:trojan-activity; sid:4225701; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 85.239.63.160 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 85.239.63.160"; classtype:trojan-activity; sid:4225711; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 193.105.134.58 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 193.105.134.58"; classtype:trojan-activity; sid:4225721; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 146.0.74.16 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 146.0.74.16"; classtype:trojan-activity; sid:4225731; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 91.231.186.226 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 91.231.186.226"; classtype:trojan-activity; sid:4225741; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 91.222.174.41 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 91.222.174.41"; classtype:trojan-activity; sid:4225751; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert ip $HOME_NET any -> 185.38.142.249 any (msg: "MISP e368 [misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Legal",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001",tlp:white] Outgoing To IP: 185.38.142.249"; classtype:trojan-activity; sid:4225761; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/368;) alert dns any any -> any any (msg: "MISP e369 [tlp:white,misp-galaxy:mitre-intrusion-set="APT29 - G0016",misp-galaxy:threat-actor="UNC2452",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="IT",misp-galaxy:sector="Managed Services Provider"] Hostname msftprotection.onmicrosoft.com"; dns.query; content:"msftprotection.onmicrosoft.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])msftprotection\.onmicrosoft\.com$/i"; classtype:trojan-activity; sid:4225791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/369;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e369 [tlp:white,misp-galaxy:mitre-intrusion-set="APT29 - G0016",misp-galaxy:threat-actor="UNC2452",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="IT",misp-galaxy:sector="Managed Services Provider"] Outgoing HTTP Hostname msftprotection.onmicrosoft.com"; flow:to_server,established; http.header; content: "Host|3a| msftprotection.onmicrosoft.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])msftprotection\.onmicrosoft\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225792; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/369;) alert dns any any -> any any (msg: "MISP e369 [tlp:white,misp-galaxy:mitre-intrusion-set="APT29 - G0016",misp-galaxy:threat-actor="UNC2452",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="IT",misp-galaxy:sector="Managed Services Provider"] Hostname identityverification.onmicrosoft.com"; dns.query; content:"identityverification.onmicrosoft.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])identityverification\.onmicrosoft\.com$/i"; classtype:trojan-activity; sid:4225801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/369;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e369 [tlp:white,misp-galaxy:mitre-intrusion-set="APT29 - G0016",misp-galaxy:threat-actor="UNC2452",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="IT",misp-galaxy:sector="Managed Services Provider"] Outgoing HTTP Hostname identityverification.onmicrosoft.com"; flow:to_server,established; http.header; content: "Host|3a| identityverification.onmicrosoft.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])identityverification\.onmicrosoft\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225802; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/369;) alert dns any any -> any any (msg: "MISP e369 [tlp:white,misp-galaxy:mitre-intrusion-set="APT29 - G0016",misp-galaxy:threat-actor="UNC2452",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="IT",misp-galaxy:sector="Managed Services Provider"] Hostname accountsverification.onmicrosoft.com"; dns.query; content:"accountsverification.onmicrosoft.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])accountsverification\.onmicrosoft\.com$/i"; classtype:trojan-activity; sid:4225811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/369;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e369 [tlp:white,misp-galaxy:mitre-intrusion-set="APT29 - G0016",misp-galaxy:threat-actor="UNC2452",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="IT",misp-galaxy:sector="Managed Services Provider"] Outgoing HTTP Hostname accountsverification.onmicrosoft.com"; flow:to_server,established; http.header; content: "Host|3a| accountsverification.onmicrosoft.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])accountsverification\.onmicrosoft\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225812; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/369;) alert dns any any -> any any (msg: "MISP e369 [tlp:white,misp-galaxy:mitre-intrusion-set="APT29 - G0016",misp-galaxy:threat-actor="UNC2452",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="IT",misp-galaxy:sector="Managed Services Provider"] Hostname azuresecuritycenter.onmicrosoft.com"; dns.query; content:"azuresecuritycenter.onmicrosoft.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])azuresecuritycenter\.onmicrosoft\.com$/i"; classtype:trojan-activity; sid:4225821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/369;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e369 [tlp:white,misp-galaxy:mitre-intrusion-set="APT29 - G0016",misp-galaxy:threat-actor="UNC2452",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="IT",misp-galaxy:sector="Managed Services Provider"] Outgoing HTTP Hostname azuresecuritycenter.onmicrosoft.com"; flow:to_server,established; http.header; content: "Host|3a| azuresecuritycenter.onmicrosoft.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])azuresecuritycenter\.onmicrosoft\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225822; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/369;) alert dns any any -> any any (msg: "MISP e369 [tlp:white,misp-galaxy:mitre-intrusion-set="APT29 - G0016",misp-galaxy:threat-actor="UNC2452",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="IT",misp-galaxy:sector="Managed Services Provider"] Hostname teamsprotection.onmicrosoft.com"; dns.query; content:"teamsprotection.onmicrosoft.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])teamsprotection\.onmicrosoft\.com$/i"; classtype:trojan-activity; sid:4225831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/369;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e369 [tlp:white,misp-galaxy:mitre-intrusion-set="APT29 - G0016",misp-galaxy:threat-actor="UNC2452",misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="IT",misp-galaxy:sector="Managed Services Provider"] Outgoing HTTP Hostname teamsprotection.onmicrosoft.com"; flow:to_server,established; http.header; content: "Host|3a| teamsprotection.onmicrosoft.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])teamsprotection\.onmicrosoft\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225832; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/369;) alert dns any any -> any any (msg: "MISP e370 [misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:threat-actor="APT 29",misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",tlp:white] Hostname toyy.zulipchat.com"; dns.query; content:"toyy.zulipchat.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])toyy\.zulipchat\.com$/i"; classtype:trojan-activity; sid:4225861; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/370;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e370 [misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:threat-actor="APT 29",misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",tlp:white] Outgoing HTTP Hostname toyy.zulipchat.com"; flow:to_server,established; http.header; content: "Host|3a| toyy.zulipchat.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])toyy\.zulipchat\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225862; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/370;) alert dns any any -> any any (msg: "MISP e370 [misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:threat-actor="APT 29",misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",tlp:white] Hostname sgrhf.org.pk"; dns.query; content:"sgrhf.org.pk"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sgrhf\.org\.pk$/i"; classtype:trojan-activity; sid:4225871; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/370;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e370 [misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:threat-actor="APT 29",misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",tlp:white] Outgoing HTTP Hostname sgrhf.org.pk"; flow:to_server,established; http.header; content: "Host|3a| sgrhf.org.pk"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sgrhf\.org\.pk[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225872; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/370;) alert dns any any -> any any (msg: "MISP e370 [misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:threat-actor="APT 29",misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",tlp:white] Domain edenparkweddings.com"; dns.query; content:"edenparkweddings.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])edenparkweddings\.com$/i"; classtype:trojan-activity; sid:4225881; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/370;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e370 [misp-galaxy:sector="Diplomacy",misp-galaxy:sector="Government, Administration",misp-galaxy:threat-actor="APT 29",misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002",misp-galaxy:mitre-attack-pattern="Mshta - T1218.005",misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002",tlp:white] Outgoing HTTP Domain edenparkweddings.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"edenparkweddings.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])edenparkweddings\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4225882; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/370;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e373 [tlp:white] Outgoing URL https|3a|//onedrive.live.com/?authkey=%21AAdO%2Di5%2DikrnuaA&id=79E2A760F4732317%21106&cid=79E2A760F4732317"; tls.sni; content:"onedrive.live.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4226421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/373;) alert dns any any -> any any (msg: "MISP e373 [tlp:white] Domain wplsummit.com"; dns.query; content:"wplsummit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])wplsummit\.com$/i"; classtype:trojan-activity; sid:4226431; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/373;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e373 [tlp:white] Outgoing HTTP Domain wplsummit.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wplsummit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wplsummit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4226432; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/373;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e373 [tlp:white] Outgoing URL https|3a|//mctelemetryzone.com/favicon.ico"; tls.sni; content:"mctelemetryzone.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4226441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/373;) alert dns any any -> any any (msg: "MISP e373 [tlp:white] Domain netstaticsinformation.com"; dns.query; content:"netstaticsinformation.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])netstaticsinformation\.com$/i"; classtype:trojan-activity; sid:4226451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/373;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e373 [tlp:white] Outgoing HTTP Domain netstaticsinformation.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"netstaticsinformation.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])netstaticsinformation\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4226452; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/373;) alert dns any any -> any any (msg: "MISP e373 [tlp:white] Domain redditanalytics.pm"; dns.query; content:"redditanalytics.pm"; nocase; pcre: "/(^|[^A-Za-z0-9-])redditanalytics\.pm$/i"; classtype:trojan-activity; sid:4226461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/373;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e373 [tlp:white] Outgoing HTTP Domain redditanalytics.pm"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"redditanalytics.pm"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])redditanalytics\.pm[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4226462; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/373;) alert dns any any -> any any (msg: "MISP e373 [tlp:white] Domain wirelessvezion.com"; dns.query; content:"wirelessvezion.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])wirelessvezion\.com$/i"; classtype:trojan-activity; sid:4226471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/373;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e373 [tlp:white] Outgoing HTTP Domain wirelessvezion.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wirelessvezion.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wirelessvezion\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4226472; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/373;) alert dns any any -> any any (msg: "MISP e373 [tlp:white] Domain budgetnews.org"; dns.query; content:"budgetnews.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])budgetnews\.org$/i"; classtype:trojan-activity; sid:4226481; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/373;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e373 [tlp:white] Outgoing HTTP Domain budgetnews.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"budgetnews.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])budgetnews\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4226482; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/373;) alert dns any any -> any any (msg: "MISP e373 [tlp:white] Domain pap-cut.com"; dns.query; content:"pap-cut.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pap\-cut\.com$/i"; classtype:trojan-activity; sid:4226491; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/373;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e373 [tlp:white] Outgoing HTTP Domain pap-cut.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pap-cut.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pap\-cut\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4226492; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/373;) alert dns any any -> any any (msg: "MISP e373 [tlp:white] Domain speedymarker.com"; dns.query; content:"speedymarker.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])speedymarker\.com$/i"; classtype:trojan-activity; sid:4226501; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/373;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e373 [tlp:white] Outgoing HTTP Domain speedymarker.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"speedymarker.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])speedymarker\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4226502; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/373;) alert dns any any -> any any (msg: "MISP e373 [tlp:white] Domain kayakahead.net"; dns.query; content:"kayakahead.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])kayakahead\.net$/i"; classtype:trojan-activity; sid:4226511; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/373;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e373 [tlp:white] Outgoing HTTP Domain kayakahead.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kayakahead.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kayakahead\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4226512; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/373;) alert dns any any -> any any (msg: "MISP e372 [tlp:white] Hostname solitary-dawn-61af.mfeagents.workers.dev"; dns.query; content:"solitary-dawn-61af.mfeagents.workers.dev"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])solitary\-dawn\-61af\.mfeagents\.workers\.dev$/i"; classtype:trojan-activity; sid:4226371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/372;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e372 [tlp:white] Outgoing HTTP Hostname solitary-dawn-61af.mfeagents.workers.dev"; flow:to_server,established; http.header; content: "Host|3a| solitary-dawn-61af.mfeagents.workers.dev"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])solitary\-dawn\-61af\.mfeagents\.workers\.dev[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4226372; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/372;) alert dns any any -> any any (msg: "MISP e372 [tlp:white] Hostname www.githubdd.workers.dev"; dns.query; content:"www.githubdd.workers.dev"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.githubdd\.workers\.dev$/i"; classtype:trojan-activity; sid:4226381; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/372;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e372 [tlp:white] Outgoing HTTP Hostname www.githubdd.workers.dev"; flow:to_server,established; http.header; content: "Host|3a| www.githubdd.workers.dev"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.githubdd\.workers\.dev[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4226382; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/372;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e372 [tlp:white] Outgoing URL https|3a|//solitary-dawn-61af.mfeagents.workers.dev/collector/3.0/"; tls.sni; content:"solitary-dawn-61af.mfeagents.workers.dev"; tag:session,600,seconds; classtype:trojan-activity; sid:4226391; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/372;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e372 [tlp:white] Outgoing URL https|3a|//www.githubdd.workers.dev/fam/mfe?restart=false"; tls.sni; content:"www.githubdd.workers.dev"; tag:session,600,seconds; classtype:trojan-activity; sid:4226401; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/372;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e376 [misp-galaxy:microsoft-activity-group="Mango Sandstorm",misp-galaxy:mitre-enterprise-attack-intrusion-set="MuddyWater - G0069",misp-galaxy:mitre-intrusion-set="MuddyWater - G0069",misp-galaxy:threat-actor="MuddyWater",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:country="israel",tlp:white] Outgoing URL ws.onehub.com/files/7f9dxtt6"; flow:to_server,established; http.uri; content:"ws.onehub.com/files/7f9dxtt6"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4227151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/376;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e376 [misp-galaxy:microsoft-activity-group="Mango Sandstorm",misp-galaxy:mitre-enterprise-attack-intrusion-set="MuddyWater - G0069",misp-galaxy:mitre-intrusion-set="MuddyWater - G0069",misp-galaxy:threat-actor="MuddyWater",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:country="israel",tlp:white] Outgoing URL a.storyblok.com/f/253959/x/b92ea48421/form.zip"; flow:to_server,established; http.uri; content:"a.storyblok.com/f/253959/x/b92ea48421/form.zip"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4227161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/376;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e376 [misp-galaxy:microsoft-activity-group="Mango Sandstorm",misp-galaxy:mitre-enterprise-attack-intrusion-set="MuddyWater - G0069",misp-galaxy:mitre-intrusion-set="MuddyWater - G0069",misp-galaxy:threat-actor="MuddyWater",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:country="israel",tlp:white] Outgoing URL a.storyblok.com/f/255988/x/5e0186f61d/questionnaire.zip"; flow:to_server,established; http.uri; content:"a.storyblok.com/f/255988/x/5e0186f61d/questionnaire.zip"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4227171; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/376;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e376 [misp-galaxy:microsoft-activity-group="Mango Sandstorm",misp-galaxy:mitre-enterprise-attack-intrusion-set="MuddyWater - G0069",misp-galaxy:mitre-intrusion-set="MuddyWater - G0069",misp-galaxy:threat-actor="MuddyWater",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:country="israel",tlp:white] Outgoing URL a.storyblok.com/f/259791/x/94f59e378f/questionnaire.zip"; flow:to_server,established; http.uri; content:"a.storyblok.com/f/259791/x/94f59e378f/questionnaire.zip"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4227181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/376;) alert ip $HOME_NET any -> 146.70.149.61 any (msg: "MISP e376 [misp-galaxy:microsoft-activity-group="Mango Sandstorm",misp-galaxy:mitre-enterprise-attack-intrusion-set="MuddyWater - G0069",misp-galaxy:mitre-intrusion-set="MuddyWater - G0069",misp-galaxy:threat-actor="MuddyWater",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:country="israel",tlp:white] Outgoing To IP: 146.70.149.61"; classtype:trojan-activity; sid:4227191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/376;) alert ip $HOME_NET any -> 146.70.124.102 any (msg: "MISP e376 [misp-galaxy:microsoft-activity-group="Mango Sandstorm",misp-galaxy:mitre-enterprise-attack-intrusion-set="MuddyWater - G0069",misp-galaxy:mitre-intrusion-set="MuddyWater - G0069",misp-galaxy:threat-actor="MuddyWater",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:country="israel",tlp:white] Outgoing To IP: 146.70.124.102"; classtype:trojan-activity; sid:4227201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/376;) alert ip $HOME_NET any -> 37.120.237.204 any (msg: "MISP e376 [misp-galaxy:microsoft-activity-group="Mango Sandstorm",misp-galaxy:mitre-enterprise-attack-intrusion-set="MuddyWater - G0069",misp-galaxy:mitre-intrusion-set="MuddyWater - G0069",misp-galaxy:threat-actor="MuddyWater",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:country="israel",tlp:white] Outgoing To IP: 37.120.237.204"; classtype:trojan-activity; sid:4227211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/376;) alert ip $HOME_NET any -> 37.120.237.248 any (msg: "MISP e376 [misp-galaxy:microsoft-activity-group="Mango Sandstorm",misp-galaxy:mitre-enterprise-attack-intrusion-set="MuddyWater - G0069",misp-galaxy:mitre-intrusion-set="MuddyWater - G0069",misp-galaxy:threat-actor="MuddyWater",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:country="israel",tlp:white] Outgoing To IP: 37.120.237.248"; classtype:trojan-activity; sid:4227221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/376;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e376 [misp-galaxy:microsoft-activity-group="Mango Sandstorm",misp-galaxy:mitre-enterprise-attack-intrusion-set="MuddyWater - G0069",misp-galaxy:mitre-intrusion-set="MuddyWater - G0069",misp-galaxy:threat-actor="MuddyWater",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:country="israel",tlp:white] Outgoing URL a.storyblok.com/f/259837/x/21e6a04837/defense-video.zip"; flow:to_server,established; http.uri; content:"a.storyblok.com/f/259837/x/21e6a04837/defense-video.zip"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4227231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/376;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e376 [misp-galaxy:microsoft-activity-group="Mango Sandstorm",misp-galaxy:mitre-enterprise-attack-intrusion-set="MuddyWater - G0069",misp-galaxy:mitre-intrusion-set="MuddyWater - G0069",misp-galaxy:threat-actor="MuddyWater",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002",misp-galaxy:country="israel",tlp:white] Outgoing URL a.storyblok.com/f/259791/x/91e2f5fa2f/attachments.zip"; flow:to_server,established; http.uri; content:"a.storyblok.com/f/259791/x/91e2f5fa2f/attachments.zip"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4227241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/376;) alert ip $HOME_NET any -> 45.89.106.147 any (msg: "MISP e377 [misp-galaxy:sector="Energy",misp-galaxy:target-information="Denmark",tlp:white] Outgoing To IP: 45.89.106.147"; classtype:trojan-activity; sid:4227291; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/377;) alert ip $HOME_NET any -> 145.239.54.169 any (msg: "MISP e377 [misp-galaxy:sector="Energy",misp-galaxy:target-information="Denmark",tlp:white] Outgoing To IP: 145.239.54.169"; classtype:trojan-activity; sid:4227301; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/377;) alert ip $HOME_NET any -> 176.124.32.84 any (msg: "MISP e377 [misp-galaxy:sector="Energy",misp-galaxy:target-information="Denmark",tlp:white] Outgoing To IP: 176.124.32.84"; classtype:trojan-activity; sid:4227311; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/377;) alert ip $HOME_NET any -> 185.180.223.48 any (msg: "MISP e377 [misp-galaxy:sector="Energy",misp-galaxy:target-information="Denmark",tlp:white] Outgoing To IP: 185.180.223.48"; classtype:trojan-activity; sid:4227321; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/377;) alert ip $HOME_NET any -> 91.235.234.81 any (msg: "MISP e377 [misp-galaxy:sector="Energy",misp-galaxy:target-information="Denmark",tlp:white] Outgoing To IP: 91.235.234.81"; classtype:trojan-activity; sid:4227331; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/377;) alert ip $HOME_NET any -> 205.147.101.170 any (msg: "MISP e377 [misp-galaxy:sector="Energy",misp-galaxy:target-information="Denmark",tlp:white] Outgoing To IP: 205.147.101.170"; classtype:trojan-activity; sid:4227341; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/377;) alert ip $HOME_NET any -> 45.128.232.143 any (msg: "MISP e377 [misp-galaxy:sector="Energy",misp-galaxy:target-information="Denmark",tlp:white] Outgoing To IP: 45.128.232.143"; classtype:trojan-activity; sid:4227351; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/377;) alert ip $HOME_NET any -> 91.235.234.251 any (msg: "MISP e377 [misp-galaxy:sector="Energy",misp-galaxy:target-information="Denmark",tlp:white] Outgoing To IP: 91.235.234.251"; classtype:trojan-activity; sid:4227361; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/377;) alert ip $HOME_NET any -> 46.8.198.196 any (msg: "MISP e377 [misp-galaxy:sector="Energy",misp-galaxy:target-information="Denmark",tlp:white] Outgoing To IP: 46.8.198.196"; classtype:trojan-activity; sid:4227371; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/377;) alert ip $HOME_NET any -> 156.241.86.2 any (msg: "MISP e377 [misp-galaxy:sector="Energy",misp-galaxy:target-information="Denmark",tlp:white] Outgoing To IP: 156.241.86.2"; classtype:trojan-activity; sid:4227381; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/377;) alert ip $HOME_NET any -> 63.79.171.112 any (msg: "MISP e377 [misp-galaxy:sector="Energy",misp-galaxy:target-information="Denmark",tlp:white] Outgoing To IP: 63.79.171.112"; classtype:trojan-activity; sid:4227401; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/377;) alert ip $HOME_NET any -> 217.57.80.18 any (msg: "MISP e377 [misp-galaxy:mitre-enterprise-attack-intrusion-set="Sandworm Team - G0034",misp-galaxy:sector="Energy",misp-galaxy:target-information="Denmark",tlp:white] Outgoing To IP: 217.57.80.18"; classtype:trojan-activity; sid:4227411; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/377;) alert ip $HOME_NET any -> 70.62.153.174 any (msg: "MISP e377 [misp-galaxy:mitre-intrusion-set="Sandworm Team - G0034",misp-galaxy:sector="Energy",misp-galaxy:target-information="Denmark",tlp:white] Outgoing To IP: 70.62.153.174"; classtype:trojan-activity; sid:4227421; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/377;) alert http $HOME_NET any -> 45.89.106.147 8080 (msg: "MISP e377 [misp-galaxy:sector="Energy",misp-galaxy:target-information="Denmark",tlp:white] Outgoing URL http|3a|//45.89.106.147|3a|8080/mpsl"; flow:to_server,established; http.header; content:"45.89.106.147"; fast_pattern; nocase; http.uri; content:"/mpsl"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4227441; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/377;) alert http $HOME_NET any -> 45.89.106.147 8080 (msg: "MISP e377 [misp-galaxy:sector="Energy",misp-galaxy:target-information="Denmark",tlp:white] Outgoing URL http|3a|//45.89.106.147|3a|8080/mips"; flow:to_server,established; http.header; content:"45.89.106.147"; fast_pattern; nocase; http.uri; content:"/mips"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4227461; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/377;) alert http $HOME_NET any -> 145.239.54.169 $HTTP_PORTS (msg: "MISP e377 [misp-galaxy:sector="Energy",misp-galaxy:target-information="Denmark",tlp:white] Outgoing URL http|3a|//145.239.54.169/mipskiller"; flow:to_server,established; http.header; content:"145.239.54.169"; fast_pattern; nocase; http.uri; content:"/mipskiller"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4227481; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/377;) alert http $HOME_NET any -> 176.124.32.84 $HTTP_PORTS (msg: "MISP e377 [misp-galaxy:sector="Energy",misp-galaxy:target-information="Denmark",tlp:white] Outgoing URL http|3a|//176.124.32.84/mipskiller"; flow:to_server,established; http.header; content:"176.124.32.84"; fast_pattern; nocase; http.uri; content:"/mipskiller"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4227491; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/377;) alert http $HOME_NET any -> 185.180.223.48 $HTTP_PORTS (msg: "MISP e377 [misp-galaxy:sector="Energy",misp-galaxy:target-information="Denmark",tlp:white] Outgoing URL http|3a|//185.180.223.48/mipskiller"; flow:to_server,established; http.header; content:"185.180.223.48"; fast_pattern; nocase; http.uri; content:"/mipskiller"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4227501; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/377;) alert http $HOME_NET any -> 91.235.234.81 $HTTP_PORTS (msg: "MISP e377 [misp-galaxy:sector="Energy",misp-galaxy:target-information="Denmark",tlp:white] Outgoing URL http|3a|//91.235.234.81/proxy2"; flow:to_server,established; http.header; content:"91.235.234.81"; fast_pattern; nocase; http.uri; content:"/proxy2"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4227511; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/377;) alert http $HOME_NET any -> 205.147.101.170 82 (msg: "MISP e377 [misp-galaxy:sector="Energy",misp-galaxy:target-information="Denmark",tlp:white] Outgoing URL http|3a|//205.147.101.170|3a|82/fuckjewishpeople.mips"; flow:to_server,established; http.header; content:"205.147.101.170"; fast_pattern; nocase; http.uri; content:"/fuckjewishpeople.mips"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4227521; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/377;) alert http $HOME_NET any -> 45.128.232.143 $HTTP_PORTS (msg: "MISP e377 [misp-galaxy:sector="Energy",misp-galaxy:target-information="Denmark",tlp:white] Outgoing URL http|3a|//45.128.232.143/bins/paraiso.mips"; flow:to_server,established; http.header; content:"45.128.232.143"; fast_pattern; nocase; http.uri; content:"/bins/paraiso.mips"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4227531; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/377;) alert http $HOME_NET any -> 45.128.232.143 $HTTP_PORTS (msg: "MISP e377 [misp-galaxy:sector="Energy",misp-galaxy:target-information="Denmark",tlp:white] Outgoing URL http|3a|//45.128.232.143/bins/libcurl1337.mips"; flow:to_server,established; http.header; content:"45.128.232.143"; fast_pattern; nocase; http.uri; content:"/bins/libcurl1337.mips"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4227541; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/377;) alert http $HOME_NET any -> 91.235.234.251 $HTTP_PORTS (msg: "MISP e377 [misp-galaxy:sector="Energy",misp-galaxy:target-information="Denmark",tlp:white] Outgoing URL http|3a|//91.235.234.251/proxy1"; flow:to_server,established; http.header; content:"91.235.234.251"; fast_pattern; nocase; http.uri; content:"/proxy1"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4227551; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/377;) alert ip $HOME_NET any -> 185.44.81.147 any (msg: "MISP e377 [misp-galaxy:sector="Energy",misp-galaxy:target-information="Denmark",tlp:white] Outgoing To IP: 185.44.81.147"; classtype:trojan-activity; sid:4227561; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/377;) alert dns any any -> any any (msg: "MISP e377 [misp-galaxy:sector="Energy",misp-galaxy:target-information="Denmark",tlp:white] Hostname www.joshan.pro"; dns.query; content:"www.joshan.pro"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.joshan\.pro$/i"; classtype:trojan-activity; sid:4227571; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/377;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e377 [misp-galaxy:sector="Energy",misp-galaxy:target-information="Denmark",tlp:white] Outgoing HTTP Hostname www.joshan.pro"; flow:to_server,established; http.header; content: "Host|3a| www.joshan.pro"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.joshan\.pro[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4227572; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/377;) alert ip $HOME_NET any -> 82.180.150.197 any (msg: "MISP e378 [tlp:white,misp-galaxy:country="ukraine",misp-galaxy:target-information="Ukraine",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1458",misp-galaxy:mitre-attack-pattern="Indicator Removal - T1070",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1623",misp-galaxy:mitre-attack-pattern="Command-Line Interface - T1605",misp-galaxy:mitre-attack-pattern="Data Destruction - T1485",misp-galaxy:mitre-intrusion-set="Sandworm Team - G0034"] Outgoing To IP: 82.180.150.197"; classtype:trojan-activity; sid:4227591; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/378;) alert ip $HOME_NET any -> 176.119.195.113 any (msg: "MISP e378 [tlp:white,misp-galaxy:country="ukraine",misp-galaxy:target-information="Ukraine",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1458",misp-galaxy:mitre-attack-pattern="Indicator Removal - T1070",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1623",misp-galaxy:mitre-attack-pattern="Command-Line Interface - T1605",misp-galaxy:mitre-attack-pattern="Data Destruction - T1485",misp-galaxy:mitre-intrusion-set="Sandworm Team - G0034"] Outgoing To IP: 176.119.195.113"; classtype:trojan-activity; sid:4227601; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/378;) alert ip $HOME_NET any -> 176.119.195.115 any (msg: "MISP e378 [tlp:white,misp-galaxy:country="ukraine",misp-galaxy:target-information="Ukraine",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1458",misp-galaxy:mitre-attack-pattern="Indicator Removal - T1070",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1623",misp-galaxy:mitre-attack-pattern="Command-Line Interface - T1605",misp-galaxy:mitre-attack-pattern="Data Destruction - T1485",misp-galaxy:mitre-intrusion-set="Sandworm Team - G0034"] Outgoing To IP: 176.119.195.115"; classtype:trojan-activity; sid:4227611; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/378;) alert ip $HOME_NET any -> 185.220.101.58 any (msg: "MISP e378 [tlp:white,misp-galaxy:country="ukraine",misp-galaxy:target-information="Ukraine",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1458",misp-galaxy:mitre-attack-pattern="Indicator Removal - T1070",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1623",misp-galaxy:mitre-attack-pattern="Command-Line Interface - T1605",misp-galaxy:mitre-attack-pattern="Data Destruction - T1485",misp-galaxy:mitre-intrusion-set="Sandworm Team - G0034"] Outgoing To IP: 185.220.101.58"; classtype:trojan-activity; sid:4227621; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/378;) alert ip $HOME_NET any -> 190.2.145.24 any (msg: "MISP e378 [tlp:white,misp-galaxy:country="ukraine",misp-galaxy:target-information="Ukraine",misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1458",misp-galaxy:mitre-attack-pattern="Indicator Removal - T1070",misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1623",misp-galaxy:mitre-attack-pattern="Command-Line Interface - T1605",misp-galaxy:mitre-attack-pattern="Data Destruction - T1485",misp-galaxy:mitre-intrusion-set="Sandworm Team - G0034"] Outgoing To IP: 190.2.145.24"; classtype:trojan-activity; sid:4227631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/378;) alert ip $HOME_NET any -> 23.224.99.242 any (msg: "MISP e379 [tlp:white] Outgoing To IP: 23.224.99.242"; classtype:trojan-activity; sid:4228211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/379;) alert ip $HOME_NET any -> 23.224.99.243 any (msg: "MISP e379 [tlp:white] Outgoing To IP: 23.224.99.243"; classtype:trojan-activity; sid:4228221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/379;) alert ip $HOME_NET any -> 23.224.99.244 any (msg: "MISP e379 [tlp:white] Outgoing To IP: 23.224.99.244"; classtype:trojan-activity; sid:4228231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/379;) alert ip $HOME_NET any -> 23.224.99.245 any (msg: "MISP e379 [tlp:white] Outgoing To IP: 23.224.99.245"; classtype:trojan-activity; sid:4228241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/379;) alert ip $HOME_NET any -> 23.224.99.246 any (msg: "MISP e379 [tlp:white] Outgoing To IP: 23.224.99.246"; classtype:trojan-activity; sid:4228251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/379;) alert ip $HOME_NET any -> 23.225.35.234 any (msg: "MISP e379 [tlp:white] Outgoing To IP: 23.225.35.234"; classtype:trojan-activity; sid:4228261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/379;) alert ip $HOME_NET any -> 23.225.35.235 any (msg: "MISP e379 [tlp:white] Outgoing To IP: 23.225.35.235"; classtype:trojan-activity; sid:4228271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/379;) alert ip $HOME_NET any -> 23.225.35.236 any (msg: "MISP e379 [tlp:white] Outgoing To IP: 23.225.35.236"; classtype:trojan-activity; sid:4228281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/379;) alert ip $HOME_NET any -> 23.225.35.237 any (msg: "MISP e379 [tlp:white] Outgoing To IP: 23.225.35.237"; classtype:trojan-activity; sid:4228291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/379;) alert ip $HOME_NET any -> 23.225.35.238 any (msg: "MISP e379 [tlp:white] Outgoing To IP: 23.225.35.238"; classtype:trojan-activity; sid:4228301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/379;) alert ip $HOME_NET any -> 107.148.41.146 any (msg: "MISP e379 [tlp:white] Outgoing To IP: 107.148.41.146"; classtype:trojan-activity; sid:4228311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/379;) alert dns any any -> any any (msg: "MISP e380 [misp-galaxy:sector="Defense",misp-galaxy:microsoft-activity-group="Peach Sandstorm",misp-galaxy:mitre-enterprise-attack-intrusion-set="APT33 - G0064",misp-galaxy:mitre-ics-groups="APT33",misp-galaxy:mitre-intrusion-set="APT33 - G0064",misp-galaxy:threat-actor="MAGNALLIUM",misp-galaxy:threat-actor="APT33",tlp:white] Domain digitalcodecrafters.com"; dns.query; content:"digitalcodecrafters.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])digitalcodecrafters\.com$/i"; classtype:trojan-activity; sid:4228351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/380;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e380 [misp-galaxy:sector="Defense",misp-galaxy:microsoft-activity-group="Peach Sandstorm",misp-galaxy:mitre-enterprise-attack-intrusion-set="APT33 - G0064",misp-galaxy:mitre-ics-groups="APT33",misp-galaxy:mitre-intrusion-set="APT33 - G0064",misp-galaxy:threat-actor="MAGNALLIUM",misp-galaxy:threat-actor="APT33",tlp:white] Outgoing HTTP Domain digitalcodecrafters.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"digitalcodecrafters.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])digitalcodecrafters\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4228352; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/380;) alert ip $HOME_NET any -> 146.70.124.102 any (msg: "MISP e381 [misp-galaxy:region="015 - Northern Africa",misp-galaxy:region="014 - Eastern Africa",misp-galaxy:sector="Telecoms",misp-galaxy:microsoft-activity-group="Mango Sandstorm",misp-galaxy:mitre-enterprise-attack-intrusion-set="MuddyWater - G0069",misp-galaxy:mitre-intrusion-set="MuddyWater - G0069",misp-galaxy:threat-actor="MuddyWater",tlp:white] Outgoing To IP: 146.70.124.102"; classtype:trojan-activity; sid:4228411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/381;) alert ip $HOME_NET any -> 94.131.109.65 any (msg: "MISP e381 [misp-galaxy:region="015 - Northern Africa",misp-galaxy:region="014 - Eastern Africa",misp-galaxy:sector="Telecoms",misp-galaxy:microsoft-activity-group="Mango Sandstorm",misp-galaxy:mitre-enterprise-attack-intrusion-set="MuddyWater - G0069",misp-galaxy:mitre-intrusion-set="MuddyWater - G0069",misp-galaxy:threat-actor="MuddyWater",tlp:white] Outgoing To IP: 94.131.109.65"; classtype:trojan-activity; sid:4228421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/381;) alert ip $HOME_NET any -> 95.164.38.99 any (msg: "MISP e381 [misp-galaxy:region="015 - Northern Africa",misp-galaxy:region="014 - Eastern Africa",misp-galaxy:sector="Telecoms",misp-galaxy:microsoft-activity-group="Mango Sandstorm",misp-galaxy:mitre-enterprise-attack-intrusion-set="MuddyWater - G0069",misp-galaxy:mitre-intrusion-set="MuddyWater - G0069",misp-galaxy:threat-actor="MuddyWater",tlp:white] Outgoing To IP: 95.164.38.99"; classtype:trojan-activity; sid:4228431; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/381;) alert ip $HOME_NET any -> 45.67.230.91 any (msg: "MISP e381 [misp-galaxy:region="015 - Northern Africa",misp-galaxy:region="014 - Eastern Africa",misp-galaxy:sector="Telecoms",misp-galaxy:microsoft-activity-group="Mango Sandstorm",misp-galaxy:mitre-enterprise-attack-intrusion-set="MuddyWater - G0069",misp-galaxy:mitre-intrusion-set="MuddyWater - G0069",misp-galaxy:threat-actor="MuddyWater",tlp:white] Outgoing To IP: 45.67.230.91"; classtype:trojan-activity; sid:4228441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/381;) alert ip $HOME_NET any -> 95.164.46.199 any (msg: "MISP e381 [misp-galaxy:region="015 - Northern Africa",misp-galaxy:region="014 - Eastern Africa",misp-galaxy:sector="Telecoms",misp-galaxy:microsoft-activity-group="Mango Sandstorm",misp-galaxy:mitre-enterprise-attack-intrusion-set="MuddyWater - G0069",misp-galaxy:mitre-intrusion-set="MuddyWater - G0069",misp-galaxy:threat-actor="MuddyWater",tlp:white] Outgoing To IP: 95.164.46.199"; classtype:trojan-activity; sid:4228451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/381;) alert ip $HOME_NET any -> 94.131.98.14 any (msg: "MISP e381 [misp-galaxy:region="015 - Northern Africa",misp-galaxy:region="014 - Eastern Africa",misp-galaxy:sector="Telecoms",misp-galaxy:microsoft-activity-group="Mango Sandstorm",misp-galaxy:mitre-enterprise-attack-intrusion-set="MuddyWater - G0069",misp-galaxy:mitre-intrusion-set="MuddyWater - G0069",misp-galaxy:threat-actor="MuddyWater",tlp:white] Outgoing To IP: 94.131.98.14"; classtype:trojan-activity; sid:4228461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/381;) alert ip $HOME_NET any -> 94.131.3.160 any (msg: "MISP e381 [misp-galaxy:region="015 - Northern Africa",misp-galaxy:region="014 - Eastern Africa",misp-galaxy:sector="Telecoms",misp-galaxy:microsoft-activity-group="Mango Sandstorm",misp-galaxy:mitre-enterprise-attack-intrusion-set="MuddyWater - G0069",misp-galaxy:mitre-intrusion-set="MuddyWater - G0069",misp-galaxy:threat-actor="MuddyWater",tlp:white] Outgoing To IP: 94.131.3.160"; classtype:trojan-activity; sid:4228471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/381;) alert dns any any -> any any (msg: "MISP e382 [misp-galaxy:attack-pattern="Gather Victim Host Information: Software",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:attack-pattern="Gather Victim Network Information: Network Topology",misp-galaxy:mitre-ics-techniques="Exploit Public-Facing Application",misp-galaxy:cmtmf-attack-pattern="Exploit Public-Facing Application",misp-galaxy:attack-pattern="Command and Scripting Interpreter: PowerShell",misp-galaxy:attack-pattern="Command and Scripting Interpreter: Windows Command Shell",misp-galaxy:mitre-enterprise-attack-course-of-action="Exploitation for Client Execution Mitigation - T1203",misp-galaxy:mitre-course-of-action="Exploitation for Client Execution Mitigation - T1203",misp-galaxy:mitre-enterprise-attack-course-of-action="Windows Management Instrumentation Mitigation - T1047",misp-galaxy:mitre-enterprise-attack-course-of-action="Account Manipulation Mitigation - T1098",misp-galaxy:cmtmf-attack-pattern="Boot or Logon Autostart Execution",misp-galaxy:attack-pattern="Hijack Execution Flow: DLL Side-Loading",misp-galaxy:attack-pattern="Scheduled Task/Job: Scheduled Task",misp-galaxy:attack-pattern="Server Software Component: SQL Stored Procedures",misp-galaxy:mitre-enterprise-attack-course-of-action="Exploitation for Privilege Escalation Mitigation - T1068",misp-galaxy:mitre-course-of-action="Exploitation for Privilege Escalation Mitigation - T1068",misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1628",misp-galaxy:attack-pattern="Hide Artifacts: Hidden Files and Directories",misp-galaxy:attack-pattern="Impair Defenses: Disable or Modify Tools",misp-galaxy:mitre-ics-techniques="Masquerading",misp-galaxy:cmtmf-attack-pattern="Masquerading",misp-galaxy:attack-pattern="Obfuscated Files or Information: Binary Padding",misp-galaxy:cmtmf-attack-pattern="Process Injection",misp-galaxy:attack-pattern="Credentials from Password Stores: Credentials from Web Browsers",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:attack-pattern="OS Credential Dumping: LSASS Memory",misp-galaxy:attack-pattern="OS Credential Dumping: Security Account Manager",misp-galaxy:attack-pattern="Steal or Forge Kerberos Tickets: Golden Ticket",misp-galaxy:mitre-attack-pattern="Network Service Discovery - T1046",misp-galaxy:sigma-rules="Process Discovery",misp-galaxy:cmtmf-attack-pattern="System Network Connections Discovery",misp-galaxy:mitre-enterprise-attack-course-of-action="System Owner/User Discovery Mitigation - T1033",misp-galaxy:mitre-course-of-action="System Owner/User Discovery Mitigation - T1033",misp-galaxy:mitre-ics-techniques="Exploitation of Remote Services",misp-galaxy:mitre-attack-pattern="Dynamic Resolution - T1637",misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572",misp-galaxy:cmtmf-attack-pattern="Automated Exfiltration",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567",tlp:white] Domain matclick.com"; dns.query; content:"matclick.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])matclick\.com$/i"; classtype:trojan-activity; sid:4228491; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/382;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e382 [misp-galaxy:attack-pattern="Gather Victim Host Information: Software",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:attack-pattern="Gather Victim Network Information: Network Topology",misp-galaxy:mitre-ics-techniques="Exploit Public-Facing Application",misp-galaxy:cmtmf-attack-pattern="Exploit Public-Facing Application",misp-galaxy:attack-pattern="Command and Scripting Interpreter: PowerShell",misp-galaxy:attack-pattern="Command and Scripting Interpreter: Windows Command Shell",misp-galaxy:mitre-enterprise-attack-course-of-action="Exploitation for Client Execution Mitigation - T1203",misp-galaxy:mitre-course-of-action="Exploitation for Client Execution Mitigation - T1203",misp-galaxy:mitre-enterprise-attack-course-of-action="Windows Management Instrumentation Mitigation - T1047",misp-galaxy:mitre-enterprise-attack-course-of-action="Account Manipulation Mitigation - T1098",misp-galaxy:cmtmf-attack-pattern="Boot or Logon Autostart Execution",misp-galaxy:attack-pattern="Hijack Execution Flow: DLL Side-Loading",misp-galaxy:attack-pattern="Scheduled Task/Job: Scheduled Task",misp-galaxy:attack-pattern="Server Software Component: SQL Stored Procedures",misp-galaxy:mitre-enterprise-attack-course-of-action="Exploitation for Privilege Escalation Mitigation - T1068",misp-galaxy:mitre-course-of-action="Exploitation for Privilege Escalation Mitigation - T1068",misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1628",misp-galaxy:attack-pattern="Hide Artifacts: Hidden Files and Directories",misp-galaxy:attack-pattern="Impair Defenses: Disable or Modify Tools",misp-galaxy:mitre-ics-techniques="Masquerading",misp-galaxy:cmtmf-attack-pattern="Masquerading",misp-galaxy:attack-pattern="Obfuscated Files or Information: Binary Padding",misp-galaxy:cmtmf-attack-pattern="Process Injection",misp-galaxy:attack-pattern="Credentials from Password Stores: Credentials from Web Browsers",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:attack-pattern="OS Credential Dumping: LSASS Memory",misp-galaxy:attack-pattern="OS Credential Dumping: Security Account Manager",misp-galaxy:attack-pattern="Steal or Forge Kerberos Tickets: Golden Ticket",misp-galaxy:mitre-attack-pattern="Network Service Discovery - T1046",misp-galaxy:sigma-rules="Process Discovery",misp-galaxy:cmtmf-attack-pattern="System Network Connections Discovery",misp-galaxy:mitre-enterprise-attack-course-of-action="System Owner/User Discovery Mitigation - T1033",misp-galaxy:mitre-course-of-action="System Owner/User Discovery Mitigation - T1033",misp-galaxy:mitre-ics-techniques="Exploitation of Remote Services",misp-galaxy:mitre-attack-pattern="Dynamic Resolution - T1637",misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572",misp-galaxy:cmtmf-attack-pattern="Automated Exfiltration",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567",tlp:white] Outgoing HTTP Domain matclick.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"matclick.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])matclick\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4228492; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/382;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e382 [misp-galaxy:attack-pattern="Gather Victim Host Information: Software",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:attack-pattern="Gather Victim Network Information: Network Topology",misp-galaxy:mitre-ics-techniques="Exploit Public-Facing Application",misp-galaxy:cmtmf-attack-pattern="Exploit Public-Facing Application",misp-galaxy:attack-pattern="Command and Scripting Interpreter: PowerShell",misp-galaxy:attack-pattern="Command and Scripting Interpreter: Windows Command Shell",misp-galaxy:mitre-enterprise-attack-course-of-action="Exploitation for Client Execution Mitigation - T1203",misp-galaxy:mitre-course-of-action="Exploitation for Client Execution Mitigation - T1203",misp-galaxy:mitre-enterprise-attack-course-of-action="Windows Management Instrumentation Mitigation - T1047",misp-galaxy:mitre-enterprise-attack-course-of-action="Account Manipulation Mitigation - T1098",misp-galaxy:cmtmf-attack-pattern="Boot or Logon Autostart Execution",misp-galaxy:attack-pattern="Hijack Execution Flow: DLL Side-Loading",misp-galaxy:attack-pattern="Scheduled Task/Job: Scheduled Task",misp-galaxy:attack-pattern="Server Software Component: SQL Stored Procedures",misp-galaxy:mitre-enterprise-attack-course-of-action="Exploitation for Privilege Escalation Mitigation - T1068",misp-galaxy:mitre-course-of-action="Exploitation for Privilege Escalation Mitigation - T1068",misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1628",misp-galaxy:attack-pattern="Hide Artifacts: Hidden Files and Directories",misp-galaxy:attack-pattern="Impair Defenses: Disable or Modify Tools",misp-galaxy:mitre-ics-techniques="Masquerading",misp-galaxy:cmtmf-attack-pattern="Masquerading",misp-galaxy:attack-pattern="Obfuscated Files or Information: Binary Padding",misp-galaxy:cmtmf-attack-pattern="Process Injection",misp-galaxy:attack-pattern="Credentials from Password Stores: Credentials from Web Browsers",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:attack-pattern="OS Credential Dumping: LSASS Memory",misp-galaxy:attack-pattern="OS Credential Dumping: Security Account Manager",misp-galaxy:attack-pattern="Steal or Forge Kerberos Tickets: Golden Ticket",misp-galaxy:mitre-attack-pattern="Network Service Discovery - T1046",misp-galaxy:sigma-rules="Process Discovery",misp-galaxy:cmtmf-attack-pattern="System Network Connections Discovery",misp-galaxy:mitre-enterprise-attack-course-of-action="System Owner/User Discovery Mitigation - T1033",misp-galaxy:mitre-course-of-action="System Owner/User Discovery Mitigation - T1033",misp-galaxy:mitre-ics-techniques="Exploitation of Remote Services",misp-galaxy:mitre-attack-pattern="Dynamic Resolution - T1637",misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572",misp-galaxy:cmtmf-attack-pattern="Automated Exfiltration",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567",tlp:white] Outgoing URL https|3a|//MATCLICK.COM/WP-QUERY.PHP"; tls.sni; content:"MATCLICK.COM"; tag:session,600,seconds; classtype:trojan-activity; sid:4228501; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/382;) alert ip $HOME_NET any -> 103.76.128.34 any (msg: "MISP e382 [misp-galaxy:attack-pattern="Gather Victim Host Information: Software",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:attack-pattern="Gather Victim Network Information: Network Topology",misp-galaxy:mitre-ics-techniques="Exploit Public-Facing Application",misp-galaxy:cmtmf-attack-pattern="Exploit Public-Facing Application",misp-galaxy:attack-pattern="Command and Scripting Interpreter: PowerShell",misp-galaxy:attack-pattern="Command and Scripting Interpreter: Windows Command Shell",misp-galaxy:mitre-enterprise-attack-course-of-action="Exploitation for Client Execution Mitigation - T1203",misp-galaxy:mitre-course-of-action="Exploitation for Client Execution Mitigation - T1203",misp-galaxy:mitre-enterprise-attack-course-of-action="Windows Management Instrumentation Mitigation - T1047",misp-galaxy:mitre-enterprise-attack-course-of-action="Account Manipulation Mitigation - T1098",misp-galaxy:cmtmf-attack-pattern="Boot or Logon Autostart Execution",misp-galaxy:attack-pattern="Hijack Execution Flow: DLL Side-Loading",misp-galaxy:attack-pattern="Scheduled Task/Job: Scheduled Task",misp-galaxy:attack-pattern="Server Software Component: SQL Stored Procedures",misp-galaxy:mitre-enterprise-attack-course-of-action="Exploitation for Privilege Escalation Mitigation - T1068",misp-galaxy:mitre-course-of-action="Exploitation for Privilege Escalation Mitigation - T1068",misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1628",misp-galaxy:attack-pattern="Hide Artifacts: Hidden Files and Directories",misp-galaxy:attack-pattern="Impair Defenses: Disable or Modify Tools",misp-galaxy:mitre-ics-techniques="Masquerading",misp-galaxy:cmtmf-attack-pattern="Masquerading",misp-galaxy:attack-pattern="Obfuscated Files or Information: Binary Padding",misp-galaxy:cmtmf-attack-pattern="Process Injection",misp-galaxy:attack-pattern="Credentials from Password Stores: Credentials from Web Browsers",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:attack-pattern="OS Credential Dumping: LSASS Memory",misp-galaxy:attack-pattern="OS Credential Dumping: Security Account Manager",misp-galaxy:attack-pattern="Steal or Forge Kerberos Tickets: Golden Ticket",misp-galaxy:mitre-attack-pattern="Network Service Discovery - T1046",misp-galaxy:sigma-rules="Process Discovery",misp-galaxy:cmtmf-attack-pattern="System Network Connections Discovery",misp-galaxy:mitre-enterprise-attack-course-of-action="System Owner/User Discovery Mitigation - T1033",misp-galaxy:mitre-course-of-action="System Owner/User Discovery Mitigation - T1033",misp-galaxy:mitre-ics-techniques="Exploitation of Remote Services",misp-galaxy:mitre-attack-pattern="Dynamic Resolution - T1637",misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572",misp-galaxy:cmtmf-attack-pattern="Automated Exfiltration",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567",tlp:white] Outgoing To IP: 103.76.128.34"; classtype:trojan-activity; sid:4228511; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/382;) alert ip $HOME_NET any -> 65.21.51.58 any (msg: "MISP e382 [misp-galaxy:attack-pattern="Gather Victim Host Information: Software",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:attack-pattern="Gather Victim Network Information: Network Topology",misp-galaxy:mitre-ics-techniques="Exploit Public-Facing Application",misp-galaxy:cmtmf-attack-pattern="Exploit Public-Facing Application",misp-galaxy:attack-pattern="Command and Scripting Interpreter: PowerShell",misp-galaxy:attack-pattern="Command and Scripting Interpreter: Windows Command Shell",misp-galaxy:mitre-enterprise-attack-course-of-action="Exploitation for Client Execution Mitigation - T1203",misp-galaxy:mitre-course-of-action="Exploitation for Client Execution Mitigation - T1203",misp-galaxy:mitre-enterprise-attack-course-of-action="Windows Management Instrumentation Mitigation - T1047",misp-galaxy:mitre-enterprise-attack-course-of-action="Account Manipulation Mitigation - T1098",misp-galaxy:cmtmf-attack-pattern="Boot or Logon Autostart Execution",misp-galaxy:attack-pattern="Hijack Execution Flow: DLL Side-Loading",misp-galaxy:attack-pattern="Scheduled Task/Job: Scheduled Task",misp-galaxy:attack-pattern="Server Software Component: SQL Stored Procedures",misp-galaxy:mitre-enterprise-attack-course-of-action="Exploitation for Privilege Escalation Mitigation - T1068",misp-galaxy:mitre-course-of-action="Exploitation for Privilege Escalation Mitigation - T1068",misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1628",misp-galaxy:attack-pattern="Hide Artifacts: Hidden Files and Directories",misp-galaxy:attack-pattern="Impair Defenses: Disable or Modify Tools",misp-galaxy:mitre-ics-techniques="Masquerading",misp-galaxy:cmtmf-attack-pattern="Masquerading",misp-galaxy:attack-pattern="Obfuscated Files or Information: Binary Padding",misp-galaxy:cmtmf-attack-pattern="Process Injection",misp-galaxy:attack-pattern="Credentials from Password Stores: Credentials from Web Browsers",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:attack-pattern="OS Credential Dumping: LSASS Memory",misp-galaxy:attack-pattern="OS Credential Dumping: Security Account Manager",misp-galaxy:attack-pattern="Steal or Forge Kerberos Tickets: Golden Ticket",misp-galaxy:mitre-attack-pattern="Network Service Discovery - T1046",misp-galaxy:sigma-rules="Process Discovery",misp-galaxy:cmtmf-attack-pattern="System Network Connections Discovery",misp-galaxy:mitre-enterprise-attack-course-of-action="System Owner/User Discovery Mitigation - T1033",misp-galaxy:mitre-course-of-action="System Owner/User Discovery Mitigation - T1033",misp-galaxy:mitre-ics-techniques="Exploitation of Remote Services",misp-galaxy:mitre-attack-pattern="Dynamic Resolution - T1637",misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572",misp-galaxy:cmtmf-attack-pattern="Automated Exfiltration",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567",tlp:white] Outgoing To IP: 65.21.51.58"; classtype:trojan-activity; sid:4228521; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/382;) alert ip $HOME_NET any -> 65.20.97.203 any (msg: "MISP e382 [misp-galaxy:attack-pattern="Gather Victim Host Information: Software",misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590",misp-galaxy:attack-pattern="Gather Victim Network Information: Network Topology",misp-galaxy:mitre-ics-techniques="Exploit Public-Facing Application",misp-galaxy:cmtmf-attack-pattern="Exploit Public-Facing Application",misp-galaxy:attack-pattern="Command and Scripting Interpreter: PowerShell",misp-galaxy:attack-pattern="Command and Scripting Interpreter: Windows Command Shell",misp-galaxy:mitre-enterprise-attack-course-of-action="Exploitation for Client Execution Mitigation - T1203",misp-galaxy:mitre-course-of-action="Exploitation for Client Execution Mitigation - T1203",misp-galaxy:mitre-enterprise-attack-course-of-action="Windows Management Instrumentation Mitigation - T1047",misp-galaxy:mitre-enterprise-attack-course-of-action="Account Manipulation Mitigation - T1098",misp-galaxy:cmtmf-attack-pattern="Boot or Logon Autostart Execution",misp-galaxy:attack-pattern="Hijack Execution Flow: DLL Side-Loading",misp-galaxy:attack-pattern="Scheduled Task/Job: Scheduled Task",misp-galaxy:attack-pattern="Server Software Component: SQL Stored Procedures",misp-galaxy:mitre-enterprise-attack-course-of-action="Exploitation for Privilege Escalation Mitigation - T1068",misp-galaxy:mitre-course-of-action="Exploitation for Privilege Escalation Mitigation - T1068",misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1628",misp-galaxy:attack-pattern="Hide Artifacts: Hidden Files and Directories",misp-galaxy:attack-pattern="Impair Defenses: Disable or Modify Tools",misp-galaxy:mitre-ics-techniques="Masquerading",misp-galaxy:cmtmf-attack-pattern="Masquerading",misp-galaxy:attack-pattern="Obfuscated Files or Information: Binary Padding",misp-galaxy:cmtmf-attack-pattern="Process Injection",misp-galaxy:attack-pattern="Credentials from Password Stores: Credentials from Web Browsers",misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003",misp-galaxy:attack-pattern="OS Credential Dumping: LSASS Memory",misp-galaxy:attack-pattern="OS Credential Dumping: Security Account Manager",misp-galaxy:attack-pattern="Steal or Forge Kerberos Tickets: Golden Ticket",misp-galaxy:mitre-attack-pattern="Network Service Discovery - T1046",misp-galaxy:sigma-rules="Process Discovery",misp-galaxy:cmtmf-attack-pattern="System Network Connections Discovery",misp-galaxy:mitre-enterprise-attack-course-of-action="System Owner/User Discovery Mitigation - T1033",misp-galaxy:mitre-course-of-action="System Owner/User Discovery Mitigation - T1033",misp-galaxy:mitre-ics-techniques="Exploitation of Remote Services",misp-galaxy:mitre-attack-pattern="Dynamic Resolution - T1637",misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572",misp-galaxy:cmtmf-attack-pattern="Automated Exfiltration",misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041",misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567",tlp:white] Outgoing To IP: 65.20.97.203"; classtype:trojan-activity; sid:4228531; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/382;) alert dns any any -> any any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Domain aracaravan.com"; dns.query; content:"aracaravan.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])aracaravan\.com$/i"; classtype:trojan-activity; sid:4229321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Outgoing HTTP Domain aracaravan.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"aracaravan.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])aracaravan\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4229322; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert dns any any -> any any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Domain beatricewarner.com"; dns.query; content:"beatricewarner.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])beatricewarner\.com$/i"; classtype:trojan-activity; sid:4229331; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Outgoing HTTP Domain beatricewarner.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"beatricewarner.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])beatricewarner\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4229332; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert dns any any -> any any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Domain bruce-ess.com"; dns.query; content:"bruce-ess.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bruce\-ess\.com$/i"; classtype:trojan-activity; sid:4229341; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Outgoing HTTP Domain bruce-ess.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bruce-ess.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bruce\-ess\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4229342; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert dns any any -> any any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Domain claire-conway.com"; dns.query; content:"claire-conway.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])claire\-conway\.com$/i"; classtype:trojan-activity; sid:4229351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Outgoing HTTP Domain claire-conway.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"claire-conway.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])claire\-conway\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4229352; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert dns any any -> any any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Domain delooyp.com"; dns.query; content:"delooyp.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])delooyp\.com$/i"; classtype:trojan-activity; sid:4229361; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Outgoing HTTP Domain delooyp.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"delooyp.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])delooyp\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4229362; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert dns any any -> any any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Domain escanor.live"; dns.query; content:"escanor.live"; nocase; pcre: "/(^|[^A-Za-z0-9-])escanor\.live$/i"; classtype:trojan-activity; sid:4229371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Outgoing HTTP Domain escanor.live"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"escanor.live"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])escanor\.live[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4229372; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert dns any any -> any any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Domain izocraft.com"; dns.query; content:"izocraft.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])izocraft\.com$/i"; classtype:trojan-activity; sid:4229381; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Outgoing HTTP Domain izocraft.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"izocraft.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])izocraft\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4229382; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert dns any any -> any any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Domain jane-chapman.com"; dns.query; content:"jane-chapman.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])jane\-chapman\.com$/i"; classtype:trojan-activity; sid:4229391; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Outgoing HTTP Domain jane-chapman.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jane-chapman.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jane\-chapman\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4229392; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert dns any any -> any any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Domain lindamullins.info"; dns.query; content:"lindamullins.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])lindamullins\.info$/i"; classtype:trojan-activity; sid:4229401; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Outgoing HTTP Domain lindamullins.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lindamullins.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lindamullins\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4229402; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert dns any any -> any any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Domain nicoledotson.icu"; dns.query; content:"nicoledotson.icu"; nocase; pcre: "/(^|[^A-Za-z0-9-])nicoledotson\.icu$/i"; classtype:trojan-activity; sid:4229411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Outgoing HTTP Domain nicoledotson.icu"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nicoledotson.icu"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nicoledotson\.icu[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4229412; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert dns any any -> any any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Domain overingtonray.info"; dns.query; content:"overingtonray.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])overingtonray\.info$/i"; classtype:trojan-activity; sid:4229421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Outgoing HTTP Domain overingtonray.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"overingtonray.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])overingtonray\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4229422; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert dns any any -> any any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Domain porthopeminorhockey.net"; dns.query; content:"porthopeminorhockey.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])porthopeminorhockey\.net$/i"; classtype:trojan-activity; sid:4229431; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Outgoing HTTP Domain porthopeminorhockey.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"porthopeminorhockey.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])porthopeminorhockey\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4229432; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert dns any any -> any any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Domain spgbotup.club"; dns.query; content:"spgbotup.club"; nocase; pcre: "/(^|[^A-Za-z0-9-])spgbotup\.club$/i"; classtype:trojan-activity; sid:4229441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Outgoing HTTP Domain spgbotup.club"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"spgbotup.club"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])spgbotup\.club[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4229442; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert dns any any -> any any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Domain stgeorgebankers.com"; dns.query; content:"stgeorgebankers.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])stgeorgebankers\.com$/i"; classtype:trojan-activity; sid:4229451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Outgoing HTTP Domain stgeorgebankers.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"stgeorgebankers.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])stgeorgebankers\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4229452; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert dns any any -> any any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Domain swsan-lina-soso.info"; dns.query; content:"swsan-lina-soso.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])swsan\-lina\-soso\.info$/i"; classtype:trojan-activity; sid:4229461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Outgoing HTTP Domain swsan-lina-soso.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"swsan-lina-soso.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])swsan\-lina\-soso\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4229462; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert dns any any -> any any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Domain theconomics.net"; dns.query; content:"theconomics.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])theconomics\.net$/i"; classtype:trojan-activity; sid:4229471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Outgoing HTTP Domain theconomics.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"theconomics.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])theconomics\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4229472; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert dns any any -> any any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Domain wanda-bell.website"; dns.query; content:"wanda-bell.website"; nocase; pcre: "/(^|[^A-Za-z0-9-])wanda\-bell\.website$/i"; classtype:trojan-activity; sid:4229481; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Outgoing HTTP Domain wanda-bell.website"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wanda-bell.website"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wanda\-bell\.website[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4229482; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert dns any any -> any any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Domain wayne-lashley.com"; dns.query; content:"wayne-lashley.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])wayne\-lashley\.com$/i"; classtype:trojan-activity; sid:4229491; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Outgoing HTTP Domain wayne-lashley.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"wayne-lashley.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])wayne\-lashley\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4229492; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert dns any any -> any any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Domain zakaria-chotzen.info"; dns.query; content:"zakaria-chotzen.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])zakaria\-chotzen\.info$/i"; classtype:trojan-activity; sid:4229501; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e383 [misp-galaxy:target-information="Israel",misp-galaxy:target-information="Palestine",misp-galaxy:malpedia="Pierogi",tlp:white] Outgoing HTTP Domain zakaria-chotzen.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"zakaria-chotzen.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])zakaria\-chotzen\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4229502; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/383;) alert dns any any -> any any (msg: "MISP e384 [tlp:white] Domain symantke.com"; dns.query; content:"symantke.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])symantke\.com$/i"; classtype:trojan-activity; sid:4229621; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/384;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e384 [tlp:white] Outgoing HTTP Domain symantke.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"symantke.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])symantke\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4229622; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/384;) alert dns any any -> any any (msg: "MISP e385 [misp-galaxy:microsoft-activity-group="Mint Sandstorm",misp-galaxy:threat-actor="APT35",misp-galaxy:target-information="Belgium",misp-galaxy:target-information="France",misp-galaxy:target-information="Israel",misp-galaxy:target-information="United Kingdom",misp-galaxy:target-information="United States",misp-galaxy:sector="Academia - University",misp-galaxy:sector="Research - Innovation",misp-galaxy:country="iran",misp-galaxy:mitre-attack-pattern="Spear phishing messages with malicious links - T1369",misp-galaxy:sigma-rules="Suspicious Double Extension Files",misp-galaxy:sigma-rules="PUA - NirCmd Execution",tlp:white] Hostname east-healthy-dress.glitch.me"; dns.query; content:"east-healthy-dress.glitch.me"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])east\-healthy\-dress\.glitch\.me$/i"; classtype:trojan-activity; sid:4229711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/385;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e385 [misp-galaxy:microsoft-activity-group="Mint Sandstorm",misp-galaxy:threat-actor="APT35",misp-galaxy:target-information="Belgium",misp-galaxy:target-information="France",misp-galaxy:target-information="Israel",misp-galaxy:target-information="United Kingdom",misp-galaxy:target-information="United States",misp-galaxy:sector="Academia - University",misp-galaxy:sector="Research - Innovation",misp-galaxy:country="iran",misp-galaxy:mitre-attack-pattern="Spear phishing messages with malicious links - T1369",misp-galaxy:sigma-rules="Suspicious Double Extension Files",misp-galaxy:sigma-rules="PUA - NirCmd Execution",tlp:white] Outgoing HTTP Hostname east-healthy-dress.glitch.me"; flow:to_server,established; http.header; content: "Host|3a| east-healthy-dress.glitch.me"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])east\-healthy\-dress\.glitch\.me[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4229712; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/385;) alert dns any any -> any any (msg: "MISP e385 [misp-galaxy:microsoft-activity-group="Mint Sandstorm",misp-galaxy:threat-actor="APT35",misp-galaxy:target-information="Belgium",misp-galaxy:target-information="France",misp-galaxy:target-information="Israel",misp-galaxy:target-information="United Kingdom",misp-galaxy:target-information="United States",misp-galaxy:sector="Academia - University",misp-galaxy:sector="Research - Innovation",misp-galaxy:country="iran",misp-galaxy:mitre-attack-pattern="Spear phishing messages with malicious links - T1369",misp-galaxy:sigma-rules="Suspicious Double Extension Files",misp-galaxy:sigma-rules="PUA - NirCmd Execution",tlp:white] Hostname coral-polydactyl-dragonfruit.glitch.me"; dns.query; content:"coral-polydactyl-dragonfruit.glitch.me"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])coral\-polydactyl\-dragonfruit\.glitch\.me$/i"; classtype:trojan-activity; sid:4229721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/385;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e385 [misp-galaxy:microsoft-activity-group="Mint Sandstorm",misp-galaxy:threat-actor="APT35",misp-galaxy:target-information="Belgium",misp-galaxy:target-information="France",misp-galaxy:target-information="Israel",misp-galaxy:target-information="United Kingdom",misp-galaxy:target-information="United States",misp-galaxy:sector="Academia - University",misp-galaxy:sector="Research - Innovation",misp-galaxy:country="iran",misp-galaxy:mitre-attack-pattern="Spear phishing messages with malicious links - T1369",misp-galaxy:sigma-rules="Suspicious Double Extension Files",misp-galaxy:sigma-rules="PUA - NirCmd Execution",tlp:white] Outgoing HTTP Hostname coral-polydactyl-dragonfruit.glitch.me"; flow:to_server,established; http.header; content: "Host|3a| coral-polydactyl-dragonfruit.glitch.me"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])coral\-polydactyl\-dragonfruit\.glitch\.me[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4229722; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/385;) alert dns any any -> any any (msg: "MISP e385 [misp-galaxy:microsoft-activity-group="Mint Sandstorm",misp-galaxy:threat-actor="APT35",misp-galaxy:target-information="Belgium",misp-galaxy:target-information="France",misp-galaxy:target-information="Israel",misp-galaxy:target-information="United Kingdom",misp-galaxy:target-information="United States",misp-galaxy:sector="Academia - University",misp-galaxy:sector="Research - Innovation",misp-galaxy:country="iran",misp-galaxy:mitre-attack-pattern="Spear phishing messages with malicious links - T1369",misp-galaxy:sigma-rules="Suspicious Double Extension Files",misp-galaxy:sigma-rules="PUA - NirCmd Execution",tlp:white] Hostname kwhfibejjyxregxmnpcs.supabase.co"; dns.query; content:"kwhfibejjyxregxmnpcs.supabase.co"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])kwhfibejjyxregxmnpcs\.supabase\.co$/i"; classtype:trojan-activity; sid:4229731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/385;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e385 [misp-galaxy:microsoft-activity-group="Mint Sandstorm",misp-galaxy:threat-actor="APT35",misp-galaxy:target-information="Belgium",misp-galaxy:target-information="France",misp-galaxy:target-information="Israel",misp-galaxy:target-information="United Kingdom",misp-galaxy:target-information="United States",misp-galaxy:sector="Academia - University",misp-galaxy:sector="Research - Innovation",misp-galaxy:country="iran",misp-galaxy:mitre-attack-pattern="Spear phishing messages with malicious links - T1369",misp-galaxy:sigma-rules="Suspicious Double Extension Files",misp-galaxy:sigma-rules="PUA - NirCmd Execution",tlp:white] Outgoing HTTP Hostname kwhfibejjyxregxmnpcs.supabase.co"; flow:to_server,established; http.header; content: "Host|3a| kwhfibejjyxregxmnpcs.supabase.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])kwhfibejjyxregxmnpcs\.supabase\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4229732; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/385;) alert dns any any -> any any (msg: "MISP e385 [misp-galaxy:microsoft-activity-group="Mint Sandstorm",misp-galaxy:threat-actor="APT35",misp-galaxy:target-information="Belgium",misp-galaxy:target-information="France",misp-galaxy:target-information="Israel",misp-galaxy:target-information="United Kingdom",misp-galaxy:target-information="United States",misp-galaxy:sector="Academia - University",misp-galaxy:sector="Research - Innovation",misp-galaxy:country="iran",misp-galaxy:mitre-attack-pattern="Spear phishing messages with malicious links - T1369",misp-galaxy:sigma-rules="Suspicious Double Extension Files",misp-galaxy:sigma-rules="PUA - NirCmd Execution",tlp:white] Hostname epibvgvoszemkwjnplyc.supabase.co"; dns.query; content:"epibvgvoszemkwjnplyc.supabase.co"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])epibvgvoszemkwjnplyc\.supabase\.co$/i"; classtype:trojan-activity; sid:4229741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/385;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e385 [misp-galaxy:microsoft-activity-group="Mint Sandstorm",misp-galaxy:threat-actor="APT35",misp-galaxy:target-information="Belgium",misp-galaxy:target-information="France",misp-galaxy:target-information="Israel",misp-galaxy:target-information="United Kingdom",misp-galaxy:target-information="United States",misp-galaxy:sector="Academia - University",misp-galaxy:sector="Research - Innovation",misp-galaxy:country="iran",misp-galaxy:mitre-attack-pattern="Spear phishing messages with malicious links - T1369",misp-galaxy:sigma-rules="Suspicious Double Extension Files",misp-galaxy:sigma-rules="PUA - NirCmd Execution",tlp:white] Outgoing HTTP Hostname epibvgvoszemkwjnplyc.supabase.co"; flow:to_server,established; http.header; content: "Host|3a| epibvgvoszemkwjnplyc.supabase.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])epibvgvoszemkwjnplyc\.supabase\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4229742; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/385;) alert dns any any -> any any (msg: "MISP e385 [misp-galaxy:microsoft-activity-group="Mint Sandstorm",misp-galaxy:threat-actor="APT35",misp-galaxy:target-information="Belgium",misp-galaxy:target-information="France",misp-galaxy:target-information="Israel",misp-galaxy:target-information="United Kingdom",misp-galaxy:target-information="United States",misp-galaxy:sector="Academia - University",misp-galaxy:sector="Research - Innovation",misp-galaxy:country="iran",misp-galaxy:mitre-attack-pattern="Spear phishing messages with malicious links - T1369",misp-galaxy:sigma-rules="Suspicious Double Extension Files",misp-galaxy:sigma-rules="PUA - NirCmd Execution",tlp:white] Hostname ndrrftqrlblfecpupppp.supabase.co"; dns.query; content:"ndrrftqrlblfecpupppp.supabase.co"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ndrrftqrlblfecpupppp\.supabase\.co$/i"; classtype:trojan-activity; sid:4229751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/385;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e385 [misp-galaxy:microsoft-activity-group="Mint Sandstorm",misp-galaxy:threat-actor="APT35",misp-galaxy:target-information="Belgium",misp-galaxy:target-information="France",misp-galaxy:target-information="Israel",misp-galaxy:target-information="United Kingdom",misp-galaxy:target-information="United States",misp-galaxy:sector="Academia - University",misp-galaxy:sector="Research - Innovation",misp-galaxy:country="iran",misp-galaxy:mitre-attack-pattern="Spear phishing messages with malicious links - T1369",misp-galaxy:sigma-rules="Suspicious Double Extension Files",misp-galaxy:sigma-rules="PUA - NirCmd Execution",tlp:white] Outgoing HTTP Hostname ndrrftqrlblfecpupppp.supabase.co"; flow:to_server,established; http.header; content: "Host|3a| ndrrftqrlblfecpupppp.supabase.co"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ndrrftqrlblfecpupppp\.supabase\.co[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4229752; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/385;) alert dns any any -> any any (msg: "MISP e385 [misp-galaxy:microsoft-activity-group="Mint Sandstorm",misp-galaxy:threat-actor="APT35",misp-galaxy:target-information="Belgium",misp-galaxy:target-information="France",misp-galaxy:target-information="Israel",misp-galaxy:target-information="United Kingdom",misp-galaxy:target-information="United States",misp-galaxy:sector="Academia - University",misp-galaxy:sector="Research - Innovation",misp-galaxy:country="iran",misp-galaxy:mitre-attack-pattern="Spear phishing messages with malicious links - T1369",misp-galaxy:sigma-rules="Suspicious Double Extension Files",misp-galaxy:sigma-rules="PUA - NirCmd Execution",tlp:white] Hostname cloud-document-edit.onrender.com"; dns.query; content:"cloud-document-edit.onrender.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cloud\-document\-edit\.onrender\.com$/i"; classtype:trojan-activity; sid:4229761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/385;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e385 [misp-galaxy:microsoft-activity-group="Mint Sandstorm",misp-galaxy:threat-actor="APT35",misp-galaxy:target-information="Belgium",misp-galaxy:target-information="France",misp-galaxy:target-information="Israel",misp-galaxy:target-information="United Kingdom",misp-galaxy:target-information="United States",misp-galaxy:sector="Academia - University",misp-galaxy:sector="Research - Innovation",misp-galaxy:country="iran",misp-galaxy:mitre-attack-pattern="Spear phishing messages with malicious links - T1369",misp-galaxy:sigma-rules="Suspicious Double Extension Files",misp-galaxy:sigma-rules="PUA - NirCmd Execution",tlp:white] Outgoing HTTP Hostname cloud-document-edit.onrender.com"; flow:to_server,established; http.header; content: "Host|3a| cloud-document-edit.onrender.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cloud\-document\-edit\.onrender\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4229762; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/385;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e386 [tlp:white,misp-galaxy:microsoft-activity-group="Star Blizzard",misp-galaxy:threat-actor="Callisto",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",misp-galaxy:sector="NGO",misp-galaxy:country="russia",misp-galaxy:sector="Academia - University",misp-galaxy:target-information="Ukraine"] Outgoing URL https[|3a|//]45.133.216.15|3a|3000/ws"; flow:to_server,established; http.uri; content:"https[|3a|//]45.133.216.15|3a|3000/ws"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4229891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/386;) alert ip $HOME_NET any -> 104.193.88.123 any (msg: "MISP e387 [tlp:white,misp-galaxy:country="china",misp-galaxy:target-information="China",misp-galaxy:target-information="Japan",misp-galaxy:target-information="United Kingdom"] Outgoing To IP: 104.193.88.123"; classtype:trojan-activity; sid:4230531; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/387;) alert ip $HOME_NET any -> 183.134.93.171 any (msg: "MISP e387 [tlp:white,misp-galaxy:country="china",misp-galaxy:target-information="China",misp-galaxy:target-information="Japan",misp-galaxy:target-information="United Kingdom"] Outgoing To IP: 183.134.93.171"; classtype:trojan-activity; sid:4230551; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/387;) alert ip $HOME_NET any -> 20.237.166.161 any (msg: "MISP e388 [tlp:white,misp-galaxy:malpedia="Grandoreiro",misp-galaxy:mitre-malware="Grandoreiro - S0531",misp-galaxy:target-information="Argentina",misp-galaxy:target-information="Brazil",misp-galaxy:target-information="Mexico",misp-galaxy:target-information="Spain"] Outgoing To IP: 20.237.166.161"; classtype:trojan-activity; sid:4230761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/388;) alert ip $HOME_NET any -> 20.120.249.43 any (msg: "MISP e388 [tlp:white,misp-galaxy:malpedia="Grandoreiro",misp-galaxy:mitre-malware="Grandoreiro - S0531",misp-galaxy:target-information="Argentina",misp-galaxy:target-information="Brazil",misp-galaxy:target-information="Mexico",misp-galaxy:target-information="Spain"] Outgoing To IP: 20.120.249.43"; classtype:trojan-activity; sid:4230771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/388;) alert ip $HOME_NET any -> 52.161.154.239 any (msg: "MISP e388 [tlp:white,misp-galaxy:malpedia="Grandoreiro",misp-galaxy:mitre-malware="Grandoreiro - S0531",misp-galaxy:target-information="Argentina",misp-galaxy:target-information="Brazil",misp-galaxy:target-information="Mexico",misp-galaxy:target-information="Spain"] Outgoing To IP: 52.161.154.239"; classtype:trojan-activity; sid:4230781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/388;) alert ip $HOME_NET any -> 167.114.138.249 any (msg: "MISP e388 [tlp:white,misp-galaxy:malpedia="Grandoreiro",misp-galaxy:mitre-malware="Grandoreiro - S0531",misp-galaxy:target-information="Argentina",misp-galaxy:target-information="Brazil",misp-galaxy:target-information="Mexico",misp-galaxy:target-information="Spain"] Outgoing To IP: 167.114.138.249"; classtype:trojan-activity; sid:4230791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/388;) alert ip $HOME_NET any -> 66.70.160.251 any (msg: "MISP e388 [tlp:white,misp-galaxy:malpedia="Grandoreiro",misp-galaxy:mitre-malware="Grandoreiro - S0531",misp-galaxy:target-information="Argentina",misp-galaxy:target-information="Brazil",misp-galaxy:target-information="Mexico",misp-galaxy:target-information="Spain"] Outgoing To IP: 66.70.160.251"; classtype:trojan-activity; sid:4230801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/388;) alert ip $HOME_NET any -> 167.114.4.175 any (msg: "MISP e388 [tlp:white,misp-galaxy:malpedia="Grandoreiro",misp-galaxy:mitre-malware="Grandoreiro - S0531",misp-galaxy:target-information="Argentina",misp-galaxy:target-information="Brazil",misp-galaxy:target-information="Mexico",misp-galaxy:target-information="Spain"] Outgoing To IP: 167.114.4.175"; classtype:trojan-activity; sid:4230811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/388;) alert ip $HOME_NET any -> 18.215.238.53 any (msg: "MISP e388 [tlp:white,misp-galaxy:malpedia="Grandoreiro",misp-galaxy:mitre-malware="Grandoreiro - S0531",misp-galaxy:target-information="Argentina",misp-galaxy:target-information="Brazil",misp-galaxy:target-information="Mexico",misp-galaxy:target-information="Spain"] Outgoing To IP: 18.215.238.53"; classtype:trojan-activity; sid:4230821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/388;) alert ip $HOME_NET any -> 54.219.169.167 any (msg: "MISP e388 [tlp:white,misp-galaxy:malpedia="Grandoreiro",misp-galaxy:mitre-malware="Grandoreiro - S0531",misp-galaxy:target-information="Argentina",misp-galaxy:target-information="Brazil",misp-galaxy:target-information="Mexico",misp-galaxy:target-information="Spain"] Outgoing To IP: 54.219.169.167"; classtype:trojan-activity; sid:4230831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/388;) alert ip $HOME_NET any -> 3.144.135.247 any (msg: "MISP e388 [tlp:white,misp-galaxy:malpedia="Grandoreiro",misp-galaxy:mitre-malware="Grandoreiro - S0531",misp-galaxy:target-information="Argentina",misp-galaxy:target-information="Brazil",misp-galaxy:target-information="Mexico",misp-galaxy:target-information="Spain"] Outgoing To IP: 3.144.135.247"; classtype:trojan-activity; sid:4230841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/388;) alert ip $HOME_NET any -> 77.246.96.204 any (msg: "MISP e388 [tlp:white,misp-galaxy:malpedia="Grandoreiro",misp-galaxy:mitre-malware="Grandoreiro - S0531",misp-galaxy:target-information="Argentina",misp-galaxy:target-information="Brazil",misp-galaxy:target-information="Mexico",misp-galaxy:target-information="Spain"] Outgoing To IP: 77.246.96.204"; classtype:trojan-activity; sid:4230851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/388;) alert ip $HOME_NET any -> 185.228.72.38 any (msg: "MISP e388 [tlp:white,misp-galaxy:malpedia="Grandoreiro",misp-galaxy:mitre-malware="Grandoreiro - S0531",misp-galaxy:target-information="Argentina",misp-galaxy:target-information="Brazil",misp-galaxy:target-information="Mexico",misp-galaxy:target-information="Spain"] Outgoing To IP: 185.228.72.38"; classtype:trojan-activity; sid:4230861; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/388;) alert ip $HOME_NET any -> 62.84.100.225 any (msg: "MISP e388 [tlp:white,misp-galaxy:malpedia="Grandoreiro",misp-galaxy:mitre-malware="Grandoreiro - S0531",misp-galaxy:target-information="Argentina",misp-galaxy:target-information="Brazil",misp-galaxy:target-information="Mexico",misp-galaxy:target-information="Spain"] Outgoing To IP: 62.84.100.225"; classtype:trojan-activity; sid:4230871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/388;) alert ip $HOME_NET any -> 20.151.89.252 any (msg: "MISP e388 [tlp:white,misp-galaxy:malpedia="Grandoreiro",misp-galaxy:mitre-malware="Grandoreiro - S0531",misp-galaxy:target-information="Argentina",misp-galaxy:target-information="Brazil",misp-galaxy:target-information="Mexico",misp-galaxy:target-information="Spain"] Outgoing To IP: 20.151.89.252"; classtype:trojan-activity; sid:4230881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/388;) alert ip $HOME_NET any -> 82.102.19.88 any (msg: "MISP e389 [tlp:white,misp-galaxy:threat-actor="Sea Turtle",misp-galaxy:country="turkey",misp-galaxy:sector="Entertainment",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="IT - ISP",misp-galaxy:sector="News - Media",misp-galaxy:sector="NGO",misp-galaxy:sector="Telecoms",misp-galaxy:target-information="Netherlands",misp-galaxy:mitre-attack-pattern="Clear Linux or Mac System Logs - T1070.002",misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Clear Command History - T1070.003",misp-galaxy:mitre-attack-pattern="Local Email Collection - T1114.001",misp-galaxy:mitre-attack-pattern="External Remote Services - T1133",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004",misp-galaxy:mitre-attack-pattern="Malware - T1588.001"] Outgoing To IP: 82.102.19.88"; classtype:trojan-activity; sid:4230911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/389;) alert ip $HOME_NET any -> 62.115.255.163 any (msg: "MISP e389 [tlp:white,misp-galaxy:threat-actor="Sea Turtle",misp-galaxy:country="turkey",misp-galaxy:sector="Entertainment",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="IT - ISP",misp-galaxy:sector="News - Media",misp-galaxy:sector="NGO",misp-galaxy:sector="Telecoms",misp-galaxy:target-information="Netherlands",misp-galaxy:mitre-attack-pattern="Clear Linux or Mac System Logs - T1070.002",misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Clear Command History - T1070.003",misp-galaxy:mitre-attack-pattern="Local Email Collection - T1114.001",misp-galaxy:mitre-attack-pattern="External Remote Services - T1133",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004",misp-galaxy:mitre-attack-pattern="Malware - T1588.001"] Outgoing To IP: 62.115.255.163"; classtype:trojan-activity; sid:4230921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/389;) alert ip $HOME_NET any -> 193.34.167.245 any (msg: "MISP e389 [tlp:white,misp-galaxy:threat-actor="Sea Turtle",misp-galaxy:country="turkey",misp-galaxy:sector="Entertainment",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="IT - ISP",misp-galaxy:sector="News - Media",misp-galaxy:sector="NGO",misp-galaxy:sector="Telecoms",misp-galaxy:target-information="Netherlands",misp-galaxy:mitre-attack-pattern="Clear Linux or Mac System Logs - T1070.002",misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Clear Command History - T1070.003",misp-galaxy:mitre-attack-pattern="Local Email Collection - T1114.001",misp-galaxy:mitre-attack-pattern="External Remote Services - T1133",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004",misp-galaxy:mitre-attack-pattern="Malware - T1588.001"] Outgoing To IP: 193.34.167.245"; classtype:trojan-activity; sid:4230931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/389;) alert ip $HOME_NET any -> 93.115.22.212 any (msg: "MISP e389 [tlp:white,misp-galaxy:threat-actor="Sea Turtle",misp-galaxy:country="turkey",misp-galaxy:sector="Entertainment",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="IT - ISP",misp-galaxy:sector="News - Media",misp-galaxy:sector="NGO",misp-galaxy:sector="Telecoms",misp-galaxy:target-information="Netherlands",misp-galaxy:mitre-attack-pattern="Clear Linux or Mac System Logs - T1070.002",misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Clear Command History - T1070.003",misp-galaxy:mitre-attack-pattern="Local Email Collection - T1114.001",misp-galaxy:mitre-attack-pattern="External Remote Services - T1133",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004",misp-galaxy:mitre-attack-pattern="Malware - T1588.001"] Outgoing To IP: 93.115.22.212"; classtype:trojan-activity; sid:4230941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/389;) alert ip $HOME_NET any -> 95.179.176.250 any (msg: "MISP e389 [tlp:white,misp-galaxy:threat-actor="Sea Turtle",misp-galaxy:country="turkey",misp-galaxy:sector="Entertainment",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="IT - ISP",misp-galaxy:sector="News - Media",misp-galaxy:sector="NGO",misp-galaxy:sector="Telecoms",misp-galaxy:target-information="Netherlands",misp-galaxy:mitre-attack-pattern="Clear Linux or Mac System Logs - T1070.002",misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Clear Command History - T1070.003",misp-galaxy:mitre-attack-pattern="Local Email Collection - T1114.001",misp-galaxy:mitre-attack-pattern="External Remote Services - T1133",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004",misp-galaxy:mitre-attack-pattern="Malware - T1588.001"] Outgoing To IP: 95.179.176.250"; classtype:trojan-activity; sid:4230951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/389;) alert dns any any -> any any (msg: "MISP e389 [tlp:white,misp-galaxy:threat-actor="Sea Turtle",misp-galaxy:country="turkey",misp-galaxy:sector="Entertainment",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="IT - ISP",misp-galaxy:sector="News - Media",misp-galaxy:sector="NGO",misp-galaxy:sector="Telecoms",misp-galaxy:target-information="Netherlands",misp-galaxy:mitre-attack-pattern="Clear Linux or Mac System Logs - T1070.002",misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Clear Command History - T1070.003",misp-galaxy:mitre-attack-pattern="Local Email Collection - T1114.001",misp-galaxy:mitre-attack-pattern="External Remote Services - T1133",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004",misp-galaxy:mitre-attack-pattern="Malware - T1588.001"] Hostname lo0.systemctl.network"; dns.query; content:"lo0.systemctl.network"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])lo0\.systemctl\.network$/i"; classtype:trojan-activity; sid:4230961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/389;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e389 [tlp:white,misp-galaxy:threat-actor="Sea Turtle",misp-galaxy:country="turkey",misp-galaxy:sector="Entertainment",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="IT - ISP",misp-galaxy:sector="News - Media",misp-galaxy:sector="NGO",misp-galaxy:sector="Telecoms",misp-galaxy:target-information="Netherlands",misp-galaxy:mitre-attack-pattern="Clear Linux or Mac System Logs - T1070.002",misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Clear Command History - T1070.003",misp-galaxy:mitre-attack-pattern="Local Email Collection - T1114.001",misp-galaxy:mitre-attack-pattern="External Remote Services - T1133",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004",misp-galaxy:mitre-attack-pattern="Malware - T1588.001"] Outgoing HTTP Hostname lo0.systemctl.network"; flow:to_server,established; http.header; content: "Host|3a| lo0.systemctl.network"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])lo0\.systemctl\.network[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4230962; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/389;) alert dns any any -> any any (msg: "MISP e389 [tlp:white,misp-galaxy:threat-actor="Sea Turtle",misp-galaxy:country="turkey",misp-galaxy:sector="Entertainment",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="IT - ISP",misp-galaxy:sector="News - Media",misp-galaxy:sector="NGO",misp-galaxy:sector="Telecoms",misp-galaxy:target-information="Netherlands",misp-galaxy:mitre-attack-pattern="Clear Linux or Mac System Logs - T1070.002",misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Clear Command History - T1070.003",misp-galaxy:mitre-attack-pattern="Local Email Collection - T1114.001",misp-galaxy:mitre-attack-pattern="External Remote Services - T1133",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004",misp-galaxy:mitre-attack-pattern="Malware - T1588.001"] Hostname forward.boord.info"; dns.query; content:"forward.boord.info"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])forward\.boord\.info$/i"; classtype:trojan-activity; sid:4230971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/389;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e389 [tlp:white,misp-galaxy:threat-actor="Sea Turtle",misp-galaxy:country="turkey",misp-galaxy:sector="Entertainment",misp-galaxy:sector="Government, Administration",misp-galaxy:sector="IT - ISP",misp-galaxy:sector="News - Media",misp-galaxy:sector="NGO",misp-galaxy:sector="Telecoms",misp-galaxy:target-information="Netherlands",misp-galaxy:mitre-attack-pattern="Clear Linux or Mac System Logs - T1070.002",misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567",misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095",misp-galaxy:mitre-attack-pattern="Clear Command History - T1070.003",misp-galaxy:mitre-attack-pattern="Local Email Collection - T1114.001",misp-galaxy:mitre-attack-pattern="External Remote Services - T1133",misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001",misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003",misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004",misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004",misp-galaxy:mitre-attack-pattern="Malware - T1588.001"] Outgoing HTTP Hostname forward.boord.info"; flow:to_server,established; http.header; content: "Host|3a| forward.boord.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])forward\.boord\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4230972; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/389;) alert dns any any -> any any (msg: "MISP e390 [tlp:white] Domain imohub.net"; dns.query; content:"imohub.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])imohub\.net$/i"; classtype:trojan-activity; sid:4232211; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/390;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e390 [tlp:white] Outgoing HTTP Domain imohub.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"imohub.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])imohub\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4232212; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/390;) alert dns any any -> any any (msg: "MISP e390 [tlp:white] Hostname 22.imohub.workers.dev"; dns.query; content:"22.imohub.workers.dev"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])22\.imohub\.workers\.dev$/i"; classtype:trojan-activity; sid:4232221; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/390;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e390 [tlp:white] Outgoing HTTP Hostname 22.imohub.workers.dev"; flow:to_server,established; http.header; content: "Host|3a| 22.imohub.workers.dev"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])22\.imohub\.workers\.dev[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4232222; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/390;) alert dns any any -> any any (msg: "MISP e390 [tlp:white] Domain apple-analyser.com"; dns.query; content:"apple-analyser.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])apple\-analyser\.com$/i"; classtype:trojan-activity; sid:4232231; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/390;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e390 [tlp:white] Outgoing HTTP Domain apple-analyser.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"apple-analyser.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])apple\-analyser\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4232232; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/390;) alert dns any any -> any any (msg: "MISP e390 [tlp:white] Domain apple-health.org"; dns.query; content:"apple-health.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])apple\-health\.org$/i"; classtype:trojan-activity; sid:4232241; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/390;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e390 [tlp:white] Outgoing HTTP Domain apple-health.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"apple-health.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])apple\-health\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4232242; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/390;) alert ip $HOME_NET any -> 45.9.148.193 any (msg: "MISP e391 [tlp:white] Outgoing To IP: 45.9.148.193"; classtype:trojan-activity; sid:4232311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/391;) alert ip $HOME_NET any -> 103.127.43.208 any (msg: "MISP e391 [tlp:white] Outgoing To IP: 103.127.43.208"; classtype:trojan-activity; sid:4232321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/391;) alert tls any any -> any any (msg: "MISP e392 [misp-galaxy:country="china",misp-galaxy:target-information="Netherlands",tlp:white,misp-galaxy:sector="Government, Administration",misp-galaxy:sector="Military",misp-galaxy:sector="Research - Innovation",misp-galaxy:mitre-attack-pattern="Vulnerabilities - T1588.006"] JA3 Hash: 339f6adf54e6076d069dcaac54fddc25"; ja3.hash; content:"339f6adf54e6076d069dcaac54fddc25"; fast_pattern; tag:session,600,seconds; classtype:trojan-activity; sid:4233691; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/392;) alert ip $HOME_NET any -> 193.142.58.126 any (msg: "MISP e393 [tlp:white] Outgoing To IP: 193.142.58.126"; classtype:trojan-activity; sid:4234181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/393;) alert ip $HOME_NET any -> 198.244.174.214 any (msg: "MISP e393 [tlp:white] Outgoing To IP: 198.244.174.214"; classtype:trojan-activity; sid:4234191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/393;) alert dns any any -> any any (msg: "MISP e393 [tlp:white] Domain idowall.com"; dns.query; content:"idowall.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])idowall\.com$/i"; classtype:trojan-activity; sid:4234201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/393;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e393 [tlp:white] Outgoing HTTP Domain idowall.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"idowall.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])idowall\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4234202; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/393;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e395 [tlp:white] Outgoing URL http|3a|//on-global.xyz/Ov56cYsfVV8/OJITWH2WFx/Jy5S7hSx0K/fP7saoiPBc/A=="; flow:to_server,established; http.header; content:"on-global.xyz"; fast_pattern; nocase; http.uri; content:"/Ov56cYsfVV8/OJITWH2WFx/Jy5S7hSx0K/fP7saoiPBc/A=="; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4234351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/395;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e395 [tlp:white] Outgoing URL http|3a|//on-global.xyz/Of56cYsfVV8/OJITWH2WFx/Jy5S7hSx0K/fP7saoiPBc/A=="; flow:to_server,established; http.header; content:"on-global.xyz"; fast_pattern; nocase; http.uri; content:"/Of56cYsfVV8/OJITWH2WFx/Jy5S7hSx0K/fP7saoiPBc/A=="; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4234361; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/395;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e398 [tlp:white] Outgoing URL bitbucket.org/JulieHeilman/m100-firmware-mirror/downloads/"; flow:to_server,established; http.uri; content:"bitbucket.org/JulieHeilman/m100-firmware-mirror/downloads/"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4234871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/398;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e398 [tlp:white] Outgoing URL bitbucket.org/upgrades/um/downloads/"; flow:to_server,established; http.uri; content:"bitbucket.org/upgrades/um/downloads/"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4234881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/398;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e398 [tlp:white] Outgoing URL bitbucket.org/legit-updates/flash-player/downloads"; flow:to_server,established; http.uri; content:"bitbucket.org/legit-updates/flash-player/downloads"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4234891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/398;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e398 [tlp:white] Outgoing URL gitlab.com/JulieHeilman/m100-firmware-mirror/raw/master/"; flow:to_server,established; http.uri; content:"gitlab.com/JulieHeilman/m100-firmware-mirror/raw/master/"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4234901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/398;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e398 [tlp:white] Outgoing URL gitlab.com/saev3aeg/ugee8zee/raw/master/"; flow:to_server,established; http.uri; content:"gitlab.com/saev3aeg/ugee8zee/raw/master/"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4234911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/398;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e398 [tlp:white] Outgoing URL github.com/amf9esiabnb/documents/releases/download/"; flow:to_server,established; http.uri; content:"github.com/amf9esiabnb/documents/releases/download/"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4234921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/398;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e398 [tlp:white] Outgoing URL tcp|3a|//pool.minexmr.com"; flow:to_server,established; http.uri; content:"tcp|3a|//pool.minexmr.com"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4234931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/398;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e398 [tlp:white] Outgoing URL tcp|3a|//mine.aeon-pool.com"; flow:to_server,established; http.uri; content:"tcp|3a|//mine.aeon-pool.com"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4234941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/398;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e398 [tlp:white] Outgoing URL tcp|3a|//5.255.86.125"; flow:to_server,established; http.uri; content:"tcp|3a|//5.255.86.125"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4234951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/398;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e398 [tlp:white] Outgoing URL tcp|3a|//45.9.148.21"; flow:to_server,established; http.uri; content:"tcp|3a|//45.9.148.21"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4234961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/398;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e398 [tlp:white] Outgoing URL tcp|3a|//45.9.148.36"; flow:to_server,established; http.uri; content:"tcp|3a|//45.9.148.36"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4234971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/398;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e398 [tlp:white] Outgoing URL tcp|3a|//45.9.148.132"; flow:to_server,established; http.uri; content:"tcp|3a|//45.9.148.132"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4234981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/398;) alert dns any any -> any any (msg: "MISP e398 [tlp:white] Domain gpiekd65jgshwp2p53igifv43aug2adacdebmuuri34hduvijr5pfjad.onion"; dns.query; content:"gpiekd65jgshwp2p53igifv43aug2adacdebmuuri34hduvijr5pfjad.onion"; nocase; pcre: "/(^|[^A-Za-z0-9-])gpiekd65jgshwp2p53igifv43aug2adacdebmuuri34hduvijr5pfjad\.onion$/i"; classtype:trojan-activity; sid:4234991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/398;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e398 [tlp:white] Outgoing HTTP Domain gpiekd65jgshwp2p53igifv43aug2adacdebmuuri34hduvijr5pfjad.onion"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gpiekd65jgshwp2p53igifv43aug2adacdebmuuri34hduvijr5pfjad.onion"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gpiekd65jgshwp2p53igifv43aug2adacdebmuuri34hduvijr5pfjad\.onion[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4234992; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/398;) alert dns any any -> any any (msg: "MISP e398 [tlp:white] Domain ghtyqipha6mcwxiz.onion"; dns.query; content:"ghtyqipha6mcwxiz.onion"; nocase; pcre: "/(^|[^A-Za-z0-9-])ghtyqipha6mcwxiz\.onion$/i"; classtype:trojan-activity; sid:4235001; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/398;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e398 [tlp:white] Outgoing HTTP Domain ghtyqipha6mcwxiz.onion"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ghtyqipha6mcwxiz.onion"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ghtyqipha6mcwxiz\.onion[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4235002; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/398;) alert dns any any -> any any (msg: "MISP e398 [tlp:white] Domain ajiumbl2p2mjzx3l.onion"; dns.query; content:"ajiumbl2p2mjzx3l.onion"; nocase; pcre: "/(^|[^A-Za-z0-9-])ajiumbl2p2mjzx3l\.onion$/i"; classtype:trojan-activity; sid:4235011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/398;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e398 [tlp:white] Outgoing HTTP Domain ajiumbl2p2mjzx3l.onion"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ajiumbl2p2mjzx3l.onion"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ajiumbl2p2mjzx3l\.onion[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4235012; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/398;) alert dns any any -> any any (msg: "MISP e399 [tlp:white,misp-galaxy:malpedia="Mispadu",misp-galaxy:target-information="Mexico"] Domain plinqok.com"; dns.query; content:"plinqok.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])plinqok\.com$/i"; classtype:trojan-activity; sid:4235111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/399;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e399 [tlp:white,misp-galaxy:malpedia="Mispadu",misp-galaxy:target-information="Mexico"] Outgoing HTTP Domain plinqok.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"plinqok.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])plinqok\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4235112; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/399;) alert dns any any -> any any (msg: "MISP e399 [tlp:white,misp-galaxy:malpedia="Mispadu",misp-galaxy:target-information="Mexico"] Domain trilivok.com"; dns.query; content:"trilivok.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])trilivok\.com$/i"; classtype:trojan-activity; sid:4235121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/399;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e399 [tlp:white,misp-galaxy:malpedia="Mispadu",misp-galaxy:target-information="Mexico"] Outgoing HTTP Domain trilivok.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"trilivok.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])trilivok\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4235122; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/399;) alert dns any any -> any any (msg: "MISP e399 [tlp:white,misp-galaxy:malpedia="Mispadu",misp-galaxy:target-information="Mexico"] Domain xalticainvest.com"; dns.query; content:"xalticainvest.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])xalticainvest\.com$/i"; classtype:trojan-activity; sid:4235131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/399;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e399 [tlp:white,misp-galaxy:malpedia="Mispadu",misp-galaxy:target-information="Mexico"] Outgoing HTTP Domain xalticainvest.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"xalticainvest.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])xalticainvest\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4235132; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/399;) alert dns any any -> any any (msg: "MISP e399 [tlp:white,misp-galaxy:malpedia="Mispadu",misp-galaxy:target-information="Mexico"] Domain moscovatech.com"; dns.query; content:"moscovatech.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])moscovatech\.com$/i"; classtype:trojan-activity; sid:4235141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/399;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e399 [tlp:white,misp-galaxy:malpedia="Mispadu",misp-galaxy:target-information="Mexico"] Outgoing HTTP Domain moscovatech.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"moscovatech.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])moscovatech\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4235142; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/399;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e399 [tlp:white,misp-galaxy:malpedia="Mispadu",misp-galaxy:target-information="Mexico"] Outgoing URL http|3a|//trilivok.com/4g3031ar0/cb6y1dh/it.php"; flow:to_server,established; http.header; content:"trilivok.com"; fast_pattern; nocase; http.uri; content:"/4g3031ar0/cb6y1dh/it.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4235151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/399;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e399 [tlp:white,misp-galaxy:malpedia="Mispadu",misp-galaxy:target-information="Mexico"] Outgoing URL https|3a|//plinqok.com/3dzy14ebg/buhumo0/it.php"; tls.sni; content:"plinqok.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4235161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/399;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e399 [tlp:white,misp-galaxy:malpedia="Mispadu",misp-galaxy:target-information="Mexico"] Outgoing URL 24.199.98.128/expediente38/8869881268/8594605066.exe"; flow:to_server,established; http.uri; content:"24.199.98.128/expediente38/8869881268/8594605066.exe"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4235171; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/399;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e399 [tlp:white,misp-galaxy:malpedia="Mispadu",misp-galaxy:target-information="Mexico"] Outgoing URL 24.199.98.128/verificacion58/6504926283/3072491614.exe"; flow:to_server,established; http.uri; content:"24.199.98.128/verificacion58/6504926283/3072491614.exe"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4235181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/399;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e399 [tlp:white,misp-galaxy:malpedia="Mispadu",misp-galaxy:target-information="Mexico"] Outgoing URL 24.199.98.128/impresion73/5464893028/8024251449.exe"; flow:to_server,established; http.uri; content:"24.199.98.128/impresion73/5464893028/8024251449.exe"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4235191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/399;) alert dns any any -> any any (msg: "MISP e400 [tlp:white] Domain featuresscanner.com"; dns.query; content:"featuresscanner.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])featuresscanner\.com$/i"; classtype:trojan-activity; sid:4235261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e400 [tlp:white] Outgoing HTTP Domain featuresscanner.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"featuresscanner.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])featuresscanner\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4235262; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert dns any any -> any any (msg: "MISP e400 [tlp:white] Domain professionalswebcheck.com"; dns.query; content:"professionalswebcheck.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])professionalswebcheck\.com$/i"; classtype:trojan-activity; sid:4235271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e400 [tlp:white] Outgoing HTTP Domain professionalswebcheck.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"professionalswebcheck.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])professionalswebcheck\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4235272; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert dns any any -> any any (msg: "MISP e400 [tlp:white] Domain hightrafficcounter.com"; dns.query; content:"hightrafficcounter.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])hightrafficcounter\.com$/i"; classtype:trojan-activity; sid:4235281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e400 [tlp:white] Outgoing HTTP Domain hightrafficcounter.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hightrafficcounter.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hightrafficcounter\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4235282; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert dns any any -> any any (msg: "MISP e400 [tlp:white] Domain proftrafficcounter.com"; dns.query; content:"proftrafficcounter.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])proftrafficcounter\.com$/i"; classtype:trojan-activity; sid:4235291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e400 [tlp:white] Outgoing HTTP Domain proftrafficcounter.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"proftrafficcounter.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])proftrafficcounter\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4235292; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert dns any any -> any any (msg: "MISP e400 [tlp:white] Domain experttrafficmonitor.com"; dns.query; content:"experttrafficmonitor.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])experttrafficmonitor\.com$/i"; classtype:trojan-activity; sid:4235301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e400 [tlp:white] Outgoing HTTP Domain experttrafficmonitor.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"experttrafficmonitor.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])experttrafficmonitor\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4235302; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert ip $HOME_NET any -> 192.243.59.20 any (msg: "MISP e400 [tlp:white] Outgoing To IP: 192.243.59.20"; classtype:trojan-activity; sid:4235311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert ip $HOME_NET any -> 192.243.59.13 any (msg: "MISP e400 [tlp:white] Outgoing To IP: 192.243.59.13"; classtype:trojan-activity; sid:4235321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert ip $HOME_NET any -> 192.243.59.12 any (msg: "MISP e400 [tlp:white] Outgoing To IP: 192.243.59.12"; classtype:trojan-activity; sid:4235331; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert ip $HOME_NET any -> 192.243.61.227 any (msg: "MISP e400 [tlp:white] Outgoing To IP: 192.243.61.227"; classtype:trojan-activity; sid:4235341; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert ip $HOME_NET any -> 192.243.61.225 any (msg: "MISP e400 [tlp:white] Outgoing To IP: 192.243.61.225"; classtype:trojan-activity; sid:4235351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert ip $HOME_NET any -> 173.233.139.164 any (msg: "MISP e400 [tlp:white] Outgoing To IP: 173.233.139.164"; classtype:trojan-activity; sid:4235361; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert ip $HOME_NET any -> 173.233.137.60 any (msg: "MISP e400 [tlp:white] Outgoing To IP: 173.233.137.60"; classtype:trojan-activity; sid:4235371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert ip $HOME_NET any -> 173.233.137.52 any (msg: "MISP e400 [tlp:white] Outgoing To IP: 173.233.137.52"; classtype:trojan-activity; sid:4235381; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert ip $HOME_NET any -> 173.233.137.44 any (msg: "MISP e400 [tlp:white] Outgoing To IP: 173.233.137.44"; classtype:trojan-activity; sid:4235391; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert ip $HOME_NET any -> 173.233.137.36 any (msg: "MISP e400 [tlp:white] Outgoing To IP: 173.233.137.36"; classtype:trojan-activity; sid:4235401; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert dns any any -> any any (msg: "MISP e400 [tlp:white] Domain tracker-tds.info"; dns.query; content:"tracker-tds.info"; nocase; pcre: "/(^|[^A-Za-z0-9-])tracker\-tds\.info$/i"; classtype:trojan-activity; sid:4235411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e400 [tlp:white] Outgoing HTTP Domain tracker-tds.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tracker-tds.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tracker\-tds\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4235412; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert dns any any -> any any (msg: "MISP e400 [tlp:white] Domain jpadsnow.com"; dns.query; content:"jpadsnow.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])jpadsnow\.com$/i"; classtype:trojan-activity; sid:4235421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e400 [tlp:white] Outgoing HTTP Domain jpadsnow.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jpadsnow.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jpadsnow\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4235422; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert dns any any -> any any (msg: "MISP e400 [tlp:white] Domain ad-blocking24.net"; dns.query; content:"ad-blocking24.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])ad\-blocking24\.net$/i"; classtype:trojan-activity; sid:4235431; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e400 [tlp:white] Outgoing HTTP Domain ad-blocking24.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ad-blocking24.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ad\-blocking24\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4235432; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert dns any any -> any any (msg: "MISP e400 [tlp:white] Domain myqenad24.com"; dns.query; content:"myqenad24.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])myqenad24\.com$/i"; classtype:trojan-activity; sid:4235441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e400 [tlp:white] Outgoing HTTP Domain myqenad24.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"myqenad24.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])myqenad24\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4235442; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert dns any any -> any any (msg: "MISP e400 [tlp:white] Domain artificius.com"; dns.query; content:"artificius.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])artificius\.com$/i"; classtype:trojan-activity; sid:4235461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e400 [tlp:white] Outgoing HTTP Domain artificius.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"artificius.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])artificius\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4235462; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert dns any any -> any any (msg: "MISP e400 [tlp:white] Domain hoanoola.net"; dns.query; content:"hoanoola.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])hoanoola\.net$/i"; classtype:trojan-activity; sid:4235471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e400 [tlp:white] Outgoing HTTP Domain hoanoola.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hoanoola.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hoanoola\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4235472; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert dns any any -> any any (msg: "MISP e400 [tlp:white] Domain allureoutlayterrific.com"; dns.query; content:"allureoutlayterrific.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])allureoutlayterrific\.com$/i"; classtype:trojan-activity; sid:4235481; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e400 [tlp:white] Outgoing HTTP Domain allureoutlayterrific.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"allureoutlayterrific.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])allureoutlayterrific\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4235482; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/400;) alert ip $HOME_NET any -> 162.62.225.65 any (msg: "MISP e401 [misp-galaxy:country="china",tlp:white,misp-galaxy:amitt-misinformation-pattern="Create fake or imposter news sites",misp-galaxy:amitt-misinformation-pattern="Use concealment",misp-galaxy:amitt-misinformation-pattern="Conspiracy narratives",misp-galaxy:amitt-misinformation-pattern="Facilitate State Propaganda",misp-galaxy:amitt-misinformation-pattern="Search Engine Optimization",misp-galaxy:amitt-misinformation-pattern="Legacy web content",misp-galaxy:amitt-misinformation-pattern="Twitter",misp-galaxy:amitt-misinformation-pattern="Facebook",misp-galaxy:amitt-misinformation-pattern="LinkedIn",misp-galaxy:amitt-misinformation-pattern="Instagram"] Outgoing To IP: 162.62.225.65"; classtype:trojan-activity; sid:4235501; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/401;) alert ip $HOME_NET any -> 43.163.221.160 any (msg: "MISP e401 [misp-galaxy:country="china",tlp:white,misp-galaxy:amitt-misinformation-pattern="Create fake or imposter news sites",misp-galaxy:amitt-misinformation-pattern="Use concealment",misp-galaxy:amitt-misinformation-pattern="Conspiracy narratives",misp-galaxy:amitt-misinformation-pattern="Facilitate State Propaganda",misp-galaxy:amitt-misinformation-pattern="Search Engine Optimization",misp-galaxy:amitt-misinformation-pattern="Legacy web content",misp-galaxy:amitt-misinformation-pattern="Twitter",misp-galaxy:amitt-misinformation-pattern="Facebook",misp-galaxy:amitt-misinformation-pattern="LinkedIn",misp-galaxy:amitt-misinformation-pattern="Instagram"] Outgoing To IP: 43.163.221.160"; classtype:trojan-activity; sid:4235511; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/401;) alert ip $HOME_NET any -> 43.155.173.104 any (msg: "MISP e401 [misp-galaxy:country="china",tlp:white,misp-galaxy:amitt-misinformation-pattern="Create fake or imposter news sites",misp-galaxy:amitt-misinformation-pattern="Use concealment",misp-galaxy:amitt-misinformation-pattern="Conspiracy narratives",misp-galaxy:amitt-misinformation-pattern="Facilitate State Propaganda",misp-galaxy:amitt-misinformation-pattern="Search Engine Optimization",misp-galaxy:amitt-misinformation-pattern="Legacy web content",misp-galaxy:amitt-misinformation-pattern="Twitter",misp-galaxy:amitt-misinformation-pattern="Facebook",misp-galaxy:amitt-misinformation-pattern="LinkedIn",misp-galaxy:amitt-misinformation-pattern="Instagram"] Outgoing To IP: 43.155.173.104"; classtype:trojan-activity; sid:4235521; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/401;) alert ip $HOME_NET any -> 43.153.75.48 any (msg: "MISP e401 [misp-galaxy:country="china",tlp:white,misp-galaxy:amitt-misinformation-pattern="Create fake or imposter news sites",misp-galaxy:amitt-misinformation-pattern="Use concealment",misp-galaxy:amitt-misinformation-pattern="Conspiracy narratives",misp-galaxy:amitt-misinformation-pattern="Facilitate State Propaganda",misp-galaxy:amitt-misinformation-pattern="Search Engine Optimization",misp-galaxy:amitt-misinformation-pattern="Legacy web content",misp-galaxy:amitt-misinformation-pattern="Twitter",misp-galaxy:amitt-misinformation-pattern="Facebook",misp-galaxy:amitt-misinformation-pattern="LinkedIn",misp-galaxy:amitt-misinformation-pattern="Instagram"] Outgoing To IP: 43.153.75.48"; classtype:trojan-activity; sid:4235531; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/401;) alert ip $HOME_NET any -> 49.51.49.54 any (msg: "MISP e401 [misp-galaxy:country="china",tlp:white,misp-galaxy:amitt-misinformation-pattern="Create fake or imposter news sites",misp-galaxy:amitt-misinformation-pattern="Use concealment",misp-galaxy:amitt-misinformation-pattern="Conspiracy narratives",misp-galaxy:amitt-misinformation-pattern="Facilitate State Propaganda",misp-galaxy:amitt-misinformation-pattern="Search Engine Optimization",misp-galaxy:amitt-misinformation-pattern="Legacy web content",misp-galaxy:amitt-misinformation-pattern="Twitter",misp-galaxy:amitt-misinformation-pattern="Facebook",misp-galaxy:amitt-misinformation-pattern="LinkedIn",misp-galaxy:amitt-misinformation-pattern="Instagram"] Outgoing To IP: 49.51.49.54"; classtype:trojan-activity; sid:4235541; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/401;) alert ip $HOME_NET any -> 43.157.63.199 any (msg: "MISP e401 [misp-galaxy:country="china",tlp:white,misp-galaxy:amitt-misinformation-pattern="Create fake or imposter news sites",misp-galaxy:amitt-misinformation-pattern="Use concealment",misp-galaxy:amitt-misinformation-pattern="Conspiracy narratives",misp-galaxy:amitt-misinformation-pattern="Facilitate State Propaganda",misp-galaxy:amitt-misinformation-pattern="Search Engine Optimization",misp-galaxy:amitt-misinformation-pattern="Legacy web content",misp-galaxy:amitt-misinformation-pattern="Twitter",misp-galaxy:amitt-misinformation-pattern="Facebook",misp-galaxy:amitt-misinformation-pattern="LinkedIn",misp-galaxy:amitt-misinformation-pattern="Instagram"] Outgoing To IP: 43.157.63.199"; classtype:trojan-activity; sid:4235551; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/401;) alert ip $HOME_NET any -> 170.106.196.76 any (msg: "MISP e401 [misp-galaxy:country="china",tlp:white,misp-galaxy:amitt-misinformation-pattern="Create fake or imposter news sites",misp-galaxy:amitt-misinformation-pattern="Use concealment",misp-galaxy:amitt-misinformation-pattern="Conspiracy narratives",misp-galaxy:amitt-misinformation-pattern="Facilitate State Propaganda",misp-galaxy:amitt-misinformation-pattern="Search Engine Optimization",misp-galaxy:amitt-misinformation-pattern="Legacy web content",misp-galaxy:amitt-misinformation-pattern="Twitter",misp-galaxy:amitt-misinformation-pattern="Facebook",misp-galaxy:amitt-misinformation-pattern="LinkedIn",misp-galaxy:amitt-misinformation-pattern="Instagram"] Outgoing To IP: 170.106.196.76"; classtype:trojan-activity; sid:4235561; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/401;) alert ip $HOME_NET any -> 43.157.58.203 any (msg: "MISP e401 [misp-galaxy:country="china",tlp:white,misp-galaxy:amitt-misinformation-pattern="Create fake or imposter news sites",misp-galaxy:amitt-misinformation-pattern="Use concealment",misp-galaxy:amitt-misinformation-pattern="Conspiracy narratives",misp-galaxy:amitt-misinformation-pattern="Facilitate State Propaganda",misp-galaxy:amitt-misinformation-pattern="Search Engine Optimization",misp-galaxy:amitt-misinformation-pattern="Legacy web content",misp-galaxy:amitt-misinformation-pattern="Twitter",misp-galaxy:amitt-misinformation-pattern="Facebook",misp-galaxy:amitt-misinformation-pattern="LinkedIn",misp-galaxy:amitt-misinformation-pattern="Instagram"] Outgoing To IP: 43.157.58.203"; classtype:trojan-activity; sid:4235571; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/401;) alert ip $HOME_NET any -> 43.153.106.236 any (msg: "MISP e401 [misp-galaxy:country="china",tlp:white,misp-galaxy:amitt-misinformation-pattern="Create fake or imposter news sites",misp-galaxy:amitt-misinformation-pattern="Use concealment",misp-galaxy:amitt-misinformation-pattern="Conspiracy narratives",misp-galaxy:amitt-misinformation-pattern="Facilitate State Propaganda",misp-galaxy:amitt-misinformation-pattern="Search Engine Optimization",misp-galaxy:amitt-misinformation-pattern="Legacy web content",misp-galaxy:amitt-misinformation-pattern="Twitter",misp-galaxy:amitt-misinformation-pattern="Facebook",misp-galaxy:amitt-misinformation-pattern="LinkedIn",misp-galaxy:amitt-misinformation-pattern="Instagram"] Outgoing To IP: 43.153.106.236"; classtype:trojan-activity; sid:4235581; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/401;) alert ip $HOME_NET any -> 203.95.8.98 any (msg: "MISP e402 [workflow:state="complete",misp-galaxy:country="china",misp-galaxy:sector="Energy",misp-galaxy:sector="Telecoms",misp-galaxy:sector="Transport",misp-galaxy:sector="Water",misp-galaxy:mitre-intrusion-set="Volt Typhoon - G1017",misp-galaxy:threat-actor="Volt Typhoon",tlp:white] Outgoing To IP: 203.95.8.98"; classtype:trojan-activity; sid:4235591; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/402;) alert ip $HOME_NET any -> 203.95.9.54 any (msg: "MISP e402 [workflow:state="complete",misp-galaxy:country="china",misp-galaxy:sector="Energy",misp-galaxy:sector="Telecoms",misp-galaxy:sector="Transport",misp-galaxy:sector="Water",misp-galaxy:mitre-intrusion-set="Volt Typhoon - G1017",misp-galaxy:threat-actor="Volt Typhoon",tlp:white] Outgoing To IP: 203.95.9.54"; classtype:trojan-activity; sid:4235601; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/402;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain piter-news.net"; dns.query; content:"piter-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])piter\-news\.net$/i"; classtype:trojan-activity; sid:4237261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain piter-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"piter-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])piter\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237262; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain lenta.kharkiv.ua"; dns.query; content:"lenta.kharkiv.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])lenta\.kharkiv\.ua$/i"; classtype:trojan-activity; sid:4237271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain lenta.kharkiv.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lenta.kharkiv.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lenta\.kharkiv\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237272; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain moskva-news.com"; dns.query; content:"moskva-news.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])moskva\-news\.com$/i"; classtype:trojan-activity; sid:4237281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain moskva-news.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"moskva-news.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])moskva\-news\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237282; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain uanews.kharkiv.ua"; dns.query; content:"uanews.kharkiv.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.kharkiv\.ua$/i"; classtype:trojan-activity; sid:4237291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain uanews.kharkiv.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uanews.kharkiv.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.kharkiv\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237292; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain topnews.kiev.ua"; dns.query; content:"topnews.kiev.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.kiev\.ua$/i"; classtype:trojan-activity; sid:4237301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain topnews.kiev.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"topnews.kiev.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.kiev\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237302; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain topnews.odessa.ua"; dns.query; content:"topnews.odessa.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.odessa\.ua$/i"; classtype:trojan-activity; sid:4237311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain topnews.odessa.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"topnews.odessa.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.odessa\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237312; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain uanews.odessa.ua"; dns.query; content:"uanews.odessa.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.odessa\.ua$/i"; classtype:trojan-activity; sid:4237321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain uanews.odessa.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uanews.odessa.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.odessa\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237322; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain dneprnews.com.ua"; dns.query; content:"dneprnews.com.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])dneprnews\.com\.ua$/i"; classtype:trojan-activity; sid:4237331; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain dneprnews.com.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dneprnews.com.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dneprnews\.com\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237332; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain uanews.dp.ua"; dns.query; content:"uanews.dp.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.dp\.ua$/i"; classtype:trojan-activity; sid:4237341; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain uanews.dp.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uanews.dp.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.dp\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237342; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain topnews.zp.ua"; dns.query; content:"topnews.zp.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.zp\.ua$/i"; classtype:trojan-activity; sid:4237351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain topnews.zp.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"topnews.zp.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.zp\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237352; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain uanews.zp.ua"; dns.query; content:"uanews.zp.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.zp\.ua$/i"; classtype:trojan-activity; sid:4237361; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain uanews.zp.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uanews.zp.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.zp\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237362; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain lenta.te.ua"; dns.query; content:"lenta.te.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])lenta\.te\.ua$/i"; classtype:trojan-activity; sid:4237371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain lenta.te.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lenta.te.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lenta\.te\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237372; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain lenta.lviv.ua"; dns.query; content:"lenta.lviv.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])lenta\.lviv\.ua$/i"; classtype:trojan-activity; sid:4237381; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain lenta.lviv.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lenta.lviv.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lenta\.lviv\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237382; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain lenta.donetsk.ua"; dns.query; content:"lenta.donetsk.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])lenta\.donetsk\.ua$/i"; classtype:trojan-activity; sid:4237391; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain lenta.donetsk.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lenta.donetsk.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lenta\.donetsk\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237392; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain topnews.uz.ua"; dns.query; content:"topnews.uz.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.uz\.ua$/i"; classtype:trojan-activity; sid:4237401; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain topnews.uz.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"topnews.uz.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.uz\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237402; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain topnews.sebastopol.ua"; dns.query; content:"topnews.sebastopol.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.sebastopol\.ua$/i"; classtype:trojan-activity; sid:4237411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain topnews.sebastopol.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"topnews.sebastopol.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.sebastopol\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237412; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain topnews.sumy.ua"; dns.query; content:"topnews.sumy.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.sumy\.ua$/i"; classtype:trojan-activity; sid:4237421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain topnews.sumy.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"topnews.sumy.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.sumy\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237422; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain uanews.crimea.ua"; dns.query; content:"uanews.crimea.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.crimea\.ua$/i"; classtype:trojan-activity; sid:4237431; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain uanews.crimea.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uanews.crimea.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.crimea\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237432; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain uanews.sumy.ua"; dns.query; content:"uanews.sumy.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.sumy\.ua$/i"; classtype:trojan-activity; sid:4237441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain uanews.sumy.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uanews.sumy.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.sumy\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237442; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain lenta.if.ua"; dns.query; content:"lenta.if.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])lenta\.if\.ua$/i"; classtype:trojan-activity; sid:4237451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain lenta.if.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lenta.if.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lenta\.if\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237452; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain topnews.km.ua"; dns.query; content:"topnews.km.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.km\.ua$/i"; classtype:trojan-activity; sid:4237461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain topnews.km.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"topnews.km.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.km\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237462; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain topnews.ks.ua"; dns.query; content:"topnews.ks.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.ks\.ua$/i"; classtype:trojan-activity; sid:4237471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain topnews.ks.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"topnews.ks.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.ks\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237472; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain topnews.lg.ua"; dns.query; content:"topnews.lg.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.lg\.ua$/i"; classtype:trojan-activity; sid:4237481; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain topnews.lg.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"topnews.lg.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.lg\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237482; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain uanews.ck.ua"; dns.query; content:"uanews.ck.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.ck\.ua$/i"; classtype:trojan-activity; sid:4237491; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain uanews.ck.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uanews.ck.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.ck\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237492; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain uanews.cn.ua"; dns.query; content:"uanews.cn.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.cn\.ua$/i"; classtype:trojan-activity; sid:4237501; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain uanews.cn.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uanews.cn.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.cn\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237502; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain uanews.cv.ua"; dns.query; content:"uanews.cv.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.cv\.ua$/i"; classtype:trojan-activity; sid:4237511; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain uanews.cv.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uanews.cv.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.cv\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237512; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain uanews.if.ua"; dns.query; content:"uanews.if.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.if\.ua$/i"; classtype:trojan-activity; sid:4237521; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain uanews.if.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uanews.if.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.if\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237522; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain uanews.km.ua"; dns.query; content:"uanews.km.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.km\.ua$/i"; classtype:trojan-activity; sid:4237531; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain uanews.km.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uanews.km.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.km\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237532; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain uanews.kr.ua"; dns.query; content:"uanews.kr.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.kr\.ua$/i"; classtype:trojan-activity; sid:4237541; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain uanews.kr.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uanews.kr.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.kr\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237542; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain uanews.ks.ua"; dns.query; content:"uanews.ks.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.ks\.ua$/i"; classtype:trojan-activity; sid:4237551; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain uanews.ks.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uanews.ks.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.ks\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237552; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain uanews.lg.ua"; dns.query; content:"uanews.lg.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.lg\.ua$/i"; classtype:trojan-activity; sid:4237561; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain uanews.lg.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uanews.lg.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.lg\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237562; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain uanews.pl.ua"; dns.query; content:"uanews.pl.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.pl\.ua$/i"; classtype:trojan-activity; sid:4237571; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain uanews.pl.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uanews.pl.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.pl\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237572; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain uanews.rv.ua"; dns.query; content:"uanews.rv.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.rv\.ua$/i"; classtype:trojan-activity; sid:4237581; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain uanews.rv.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uanews.rv.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.rv\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237582; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain uanews.uz.ua"; dns.query; content:"uanews.uz.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.uz\.ua$/i"; classtype:trojan-activity; sid:4237591; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain uanews.uz.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uanews.uz.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.uz\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237592; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain uanews.vn.ua"; dns.query; content:"uanews.vn.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.vn\.ua$/i"; classtype:trojan-activity; sid:4237601; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain uanews.vn.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uanews.vn.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.vn\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237602; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain uanews.zt.ua"; dns.query; content:"uanews.zt.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.zt\.ua$/i"; classtype:trojan-activity; sid:4237611; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain uanews.zt.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uanews.zt.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.zt\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237612; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain uanews.donetsk.ua"; dns.query; content:"uanews.donetsk.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.donetsk\.ua$/i"; classtype:trojan-activity; sid:4237621; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain uanews.donetsk.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uanews.donetsk.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.donetsk\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237622; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain uanews.lviv.ua"; dns.query; content:"uanews.lviv.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.lviv\.ua$/i"; classtype:trojan-activity; sid:4237631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain uanews.lviv.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uanews.lviv.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.lviv\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237632; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain topnews.volyn.ua"; dns.query; content:"topnews.volyn.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.volyn\.ua$/i"; classtype:trojan-activity; sid:4237641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain topnews.volyn.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"topnews.volyn.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.volyn\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237642; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain topnews.cv.ua"; dns.query; content:"topnews.cv.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.cv\.ua$/i"; classtype:trojan-activity; sid:4237651; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain topnews.cv.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"topnews.cv.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.cv\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237652; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain uanews.te.ua"; dns.query; content:"uanews.te.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.te\.ua$/i"; classtype:trojan-activity; sid:4237661; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain uanews.te.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uanews.te.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.te\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237662; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain uanews.volyn.ua"; dns.query; content:"uanews.volyn.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.volyn\.ua$/i"; classtype:trojan-activity; sid:4237671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain uanews.volyn.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uanews.volyn.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uanews\.volyn\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237672; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain kiev-news.com.ua"; dns.query; content:"kiev-news.com.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])kiev\-news\.com\.ua$/i"; classtype:trojan-activity; sid:4237681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain kiev-news.com.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kiev-news.com.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kiev\-news\.com\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237682; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain niknews.com.ua"; dns.query; content:"niknews.com.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])niknews\.com\.ua$/i"; classtype:trojan-activity; sid:4237691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain niknews.com.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"niknews.com.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])niknews\.com\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237692; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain topnews.zt.ua"; dns.query; content:"topnews.zt.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.zt\.ua$/i"; classtype:trojan-activity; sid:4237701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain topnews.zt.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"topnews.zt.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.zt\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237702; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain nikolaevnews.com.ua"; dns.query; content:"nikolaevnews.com.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])nikolaevnews\.com\.ua$/i"; classtype:trojan-activity; sid:4237711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain nikolaevnews.com.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nikolaevnews.com.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nikolaevnews\.com\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237712; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain topnews.pl.ua"; dns.query; content:"topnews.pl.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.pl\.ua$/i"; classtype:trojan-activity; sid:4237721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain topnews.pl.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"topnews.pl.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.pl\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237722; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain topnews.rv.ua"; dns.query; content:"topnews.rv.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.rv\.ua$/i"; classtype:trojan-activity; sid:4237731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain topnews.rv.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"topnews.rv.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.rv\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237732; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain topnews.cn.ua"; dns.query; content:"topnews.cn.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.cn\.ua$/i"; classtype:trojan-activity; sid:4237741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain topnews.cn.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"topnews.cn.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.cn\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237742; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain topnews.ck.ua"; dns.query; content:"topnews.ck.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.ck\.ua$/i"; classtype:trojan-activity; sid:4237751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain topnews.ck.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"topnews.ck.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.ck\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237752; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain topnews.kr.ua"; dns.query; content:"topnews.kr.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.kr\.ua$/i"; classtype:trojan-activity; sid:4237761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain topnews.kr.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"topnews.kr.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.kr\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237762; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain topnews.vn.ua"; dns.query; content:"topnews.vn.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.vn\.ua$/i"; classtype:trojan-activity; sid:4237771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain topnews.vn.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"topnews.vn.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])topnews\.vn\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237772; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain crimea-news.com"; dns.query; content:"crimea-news.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])crimea\-news\.com$/i"; classtype:trojan-activity; sid:4237781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain crimea-news.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"crimea-news.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])crimea\-news\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237782; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain barnaul-news.net"; dns.query; content:"barnaul-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])barnaul\-news\.net$/i"; classtype:trojan-activity; sid:4237791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain barnaul-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"barnaul-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])barnaul\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237792; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain chelyabinsk-news.net"; dns.query; content:"chelyabinsk-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])chelyabinsk\-news\.net$/i"; classtype:trojan-activity; sid:4237801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain chelyabinsk-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"chelyabinsk-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])chelyabinsk\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237802; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain irkutsk-news.net"; dns.query; content:"irkutsk-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])irkutsk\-news\.net$/i"; classtype:trojan-activity; sid:4237811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain irkutsk-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"irkutsk-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])irkutsk\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237812; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain izhevsk-news.net"; dns.query; content:"izhevsk-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])izhevsk\-news\.net$/i"; classtype:trojan-activity; sid:4237821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain izhevsk-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"izhevsk-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])izhevsk\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237822; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain kazan-news.net"; dns.query; content:"kazan-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])kazan\-news\.net$/i"; classtype:trojan-activity; sid:4237831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain kazan-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kazan-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kazan\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237832; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain khabarovsk-news.net"; dns.query; content:"khabarovsk-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])khabarovsk\-news\.net$/i"; classtype:trojan-activity; sid:4237841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain khabarovsk-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"khabarovsk-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])khabarovsk\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237842; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain krasnodar-news.net"; dns.query; content:"krasnodar-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])krasnodar\-news\.net$/i"; classtype:trojan-activity; sid:4237851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain krasnodar-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"krasnodar-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])krasnodar\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237852; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain krasnoyarsk-news.net"; dns.query; content:"krasnoyarsk-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])krasnoyarsk\-news\.net$/i"; classtype:trojan-activity; sid:4237861; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain krasnoyarsk-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"krasnoyarsk-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])krasnoyarsk\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237862; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain nn-news.net"; dns.query; content:"nn-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])nn\-news\.net$/i"; classtype:trojan-activity; sid:4237871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain nn-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nn-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nn\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237872; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain novosibirsk-news.net"; dns.query; content:"novosibirsk-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])novosibirsk\-news\.net$/i"; classtype:trojan-activity; sid:4237881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain novosibirsk-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"novosibirsk-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])novosibirsk\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237882; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain omsk-news.net"; dns.query; content:"omsk-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])omsk\-news\.net$/i"; classtype:trojan-activity; sid:4237891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain omsk-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"omsk-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])omsk\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237892; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain perm-news.net"; dns.query; content:"perm-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])perm\-news\.net$/i"; classtype:trojan-activity; sid:4237901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain perm-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"perm-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])perm\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237902; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain rostov-news.net"; dns.query; content:"rostov-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])rostov\-news\.net$/i"; classtype:trojan-activity; sid:4237911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain rostov-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"rostov-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])rostov\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237912; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain samara-news.net"; dns.query; content:"samara-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])samara\-news\.net$/i"; classtype:trojan-activity; sid:4237921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain samara-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"samara-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])samara\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237922; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain saratov-news.net"; dns.query; content:"saratov-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])saratov\-news\.net$/i"; classtype:trojan-activity; sid:4237931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain saratov-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"saratov-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])saratov\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237932; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain sochi-news.net"; dns.query; content:"sochi-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])sochi\-news\.net$/i"; classtype:trojan-activity; sid:4237941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain sochi-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sochi-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sochi\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237942; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain tolyatti-news.net"; dns.query; content:"tolyatti-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])tolyatti\-news\.net$/i"; classtype:trojan-activity; sid:4237951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain tolyatti-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tolyatti-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tolyatti\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237952; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain tyumen-news.net"; dns.query; content:"tyumen-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])tyumen\-news\.net$/i"; classtype:trojan-activity; sid:4237961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain tyumen-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tyumen-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tyumen\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237962; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain ufa-news.net"; dns.query; content:"ufa-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])ufa\-news\.net$/i"; classtype:trojan-activity; sid:4237971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain ufa-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ufa-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ufa\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237972; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain ulyanovsk-news.net"; dns.query; content:"ulyanovsk-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])ulyanovsk\-news\.net$/i"; classtype:trojan-activity; sid:4237981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain ulyanovsk-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ulyanovsk-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ulyanovsk\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237982; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain ural-news.net"; dns.query; content:"ural-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])ural\-news\.net$/i"; classtype:trojan-activity; sid:4237991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain ural-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ural-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ural\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4237992; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain vladivostok-news.net"; dns.query; content:"vladivostok-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])vladivostok\-news\.net$/i"; classtype:trojan-activity; sid:4238001; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain vladivostok-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vladivostok-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vladivostok\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238002; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain volgograd-news.net"; dns.query; content:"volgograd-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])volgograd\-news\.net$/i"; classtype:trojan-activity; sid:4238011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain volgograd-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"volgograd-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])volgograd\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238012; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain voronezh-news.net"; dns.query; content:"voronezh-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])voronezh\-news\.net$/i"; classtype:trojan-activity; sid:4238021; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain voronezh-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"voronezh-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])voronezh\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238022; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain yaroslavl-news.net"; dns.query; content:"yaroslavl-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])yaroslavl\-news\.net$/i"; classtype:trojan-activity; sid:4238031; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain yaroslavl-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"yaroslavl-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])yaroslavl\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238032; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain sevastopol-news.com"; dns.query; content:"sevastopol-news.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])sevastopol\-news\.com$/i"; classtype:trojan-activity; sid:4238041; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain sevastopol-news.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sevastopol-news.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sevastopol\-news\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238042; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain msk-news.net"; dns.query; content:"msk-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])msk\-news\.net$/i"; classtype:trojan-activity; sid:4238051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain msk-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"msk-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])msk\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238052; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain astrakhan-news.net"; dns.query; content:"astrakhan-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])astrakhan\-news\.net$/i"; classtype:trojan-activity; sid:4238061; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain astrakhan-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"astrakhan-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])astrakhan\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238062; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain arkhangelsk-news.net"; dns.query; content:"arkhangelsk-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])arkhangelsk\-news\.net$/i"; classtype:trojan-activity; sid:4238071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain arkhangelsk-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"arkhangelsk-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])arkhangelsk\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238072; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain belgorod-news.net"; dns.query; content:"belgorod-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])belgorod\-news\.net$/i"; classtype:trojan-activity; sid:4238081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain belgorod-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"belgorod-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])belgorod\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238082; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain vladimir-news.net"; dns.query; content:"vladimir-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])vladimir\-news\.net$/i"; classtype:trojan-activity; sid:4238091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain vladimir-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vladimir-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vladimir\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238092; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain vologda-news.net"; dns.query; content:"vologda-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])vologda\-news\.net$/i"; classtype:trojan-activity; sid:4238101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain vologda-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vologda-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vologda\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238102; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain dagestan-news.net"; dns.query; content:"dagestan-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])dagestan\-news\.net$/i"; classtype:trojan-activity; sid:4238111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain dagestan-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dagestan-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dagestan\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238112; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain ivanovo-news.net"; dns.query; content:"ivanovo-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])ivanovo\-news\.net$/i"; classtype:trojan-activity; sid:4238121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain ivanovo-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ivanovo-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ivanovo\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238122; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain kaliningrad-news.net"; dns.query; content:"kaliningrad-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])kaliningrad\-news\.net$/i"; classtype:trojan-activity; sid:4238131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain kaliningrad-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kaliningrad-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kaliningrad\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238132; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain kirov-news.net"; dns.query; content:"kirov-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])kirov\-news\.net$/i"; classtype:trojan-activity; sid:4238141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain kirov-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kirov-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kirov\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238142; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain murmansk-news.net"; dns.query; content:"murmansk-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])murmansk\-news\.net$/i"; classtype:trojan-activity; sid:4238151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain murmansk-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"murmansk-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])murmansk\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238152; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain kemerovo-news.net"; dns.query; content:"kemerovo-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])kemerovo\-news\.net$/i"; classtype:trojan-activity; sid:4238161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain kemerovo-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kemerovo-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kemerovo\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238162; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain penza-news.net"; dns.query; content:"penza-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])penza\-news\.net$/i"; classtype:trojan-activity; sid:4238171; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain penza-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"penza-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])penza\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238172; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain orenburg-news.net"; dns.query; content:"orenburg-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])orenburg\-news\.net$/i"; classtype:trojan-activity; sid:4238181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain orenburg-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"orenburg-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])orenburg\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238182; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain orel-news.net"; dns.query; content:"orel-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])orel\-news\.net$/i"; classtype:trojan-activity; sid:4238191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain orel-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"orel-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])orel\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238192; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain stavropol-news.net"; dns.query; content:"stavropol-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])stavropol\-news\.net$/i"; classtype:trojan-activity; sid:4238201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain stavropol-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"stavropol-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])stavropol\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238202; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain smolensk-news.net"; dns.query; content:"smolensk-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])smolensk\-news\.net$/i"; classtype:trojan-activity; sid:4238211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain smolensk-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"smolensk-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])smolensk\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238212; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain tomsk-news.net"; dns.query; content:"tomsk-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])tomsk\-news\.net$/i"; classtype:trojan-activity; sid:4238221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain tomsk-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tomsk-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tomsk\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238222; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain tver-news.net"; dns.query; content:"tver-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])tver\-news\.net$/i"; classtype:trojan-activity; sid:4238231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain tver-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tver-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tver\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238232; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain ryazan-news.net"; dns.query; content:"ryazan-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])ryazan\-news\.net$/i"; classtype:trojan-activity; sid:4238241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain ryazan-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ryazan-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ryazan\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238242; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain tula-news.net"; dns.query; content:"tula-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])tula\-news\.net$/i"; classtype:trojan-activity; sid:4238251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain tula-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tula-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tula\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238252; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain chita-news.net"; dns.query; content:"chita-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])chita\-news\.net$/i"; classtype:trojan-activity; sid:4238261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain chita-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"chita-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])chita\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238262; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain kursk-news.net"; dns.query; content:"kursk-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])kursk\-news\.net$/i"; classtype:trojan-activity; sid:4238271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain kursk-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kursk-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kursk\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238272; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain lipetsk-news.net"; dns.query; content:"lipetsk-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])lipetsk\-news\.net$/i"; classtype:trojan-activity; sid:4238281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain lipetsk-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lipetsk-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lipetsk\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238282; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain saransk-news.net"; dns.query; content:"saransk-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])saransk\-news\.net$/i"; classtype:trojan-activity; sid:4238291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain saransk-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"saransk-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])saransk\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238292; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain kostroma-news.net"; dns.query; content:"kostroma-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])kostroma\-news\.net$/i"; classtype:trojan-activity; sid:4238301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain kostroma-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kostroma-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kostroma\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238302; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain yamal-news.net"; dns.query; content:"yamal-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])yamal\-news\.net$/i"; classtype:trojan-activity; sid:4238311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain yamal-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"yamal-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])yamal\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238312; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain tambov-news.net"; dns.query; content:"tambov-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])tambov\-news\.net$/i"; classtype:trojan-activity; sid:4238321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain tambov-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tambov-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tambov\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238322; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain kaluga-news.net"; dns.query; content:"kaluga-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])kaluga\-news\.net$/i"; classtype:trojan-activity; sid:4238331; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain kaluga-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kaluga-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kaluga\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238332; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain sakhalin-news.net"; dns.query; content:"sakhalin-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])sakhalin\-news\.net$/i"; classtype:trojan-activity; sid:4238341; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain sakhalin-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sakhalin-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sakhalin\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238342; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain cheb-news.net"; dns.query; content:"cheb-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])cheb\-news\.net$/i"; classtype:trojan-activity; sid:4238351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain cheb-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cheb-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cheb\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238352; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain ugra-news.net"; dns.query; content:"ugra-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])ugra\-news\.net$/i"; classtype:trojan-activity; sid:4238361; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain ugra-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ugra-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ugra\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238362; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain yakutsk-news.net"; dns.query; content:"yakutsk-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])yakutsk\-news\.net$/i"; classtype:trojan-activity; sid:4238371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain yakutsk-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"yakutsk-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])yakutsk\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238372; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain kamchatka-news.net"; dns.query; content:"kamchatka-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])kamchatka\-news\.net$/i"; classtype:trojan-activity; sid:4238381; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain kamchatka-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kamchatka-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kamchatka\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238382; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain karelia-news.net"; dns.query; content:"karelia-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])karelia\-news\.net$/i"; classtype:trojan-activity; sid:4238391; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain karelia-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"karelia-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])karelia\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238392; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain komi-news.net"; dns.query; content:"komi-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])komi\-news\.net$/i"; classtype:trojan-activity; sid:4238401; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain komi-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"komi-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])komi\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238402; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain udmurt-news.net"; dns.query; content:"udmurt-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])udmurt\-news\.net$/i"; classtype:trojan-activity; sid:4238411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain udmurt-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"udmurt-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])udmurt\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238412; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain kalmykia-news.net"; dns.query; content:"kalmykia-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])kalmykia\-news\.net$/i"; classtype:trojan-activity; sid:4238421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain kalmykia-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kalmykia-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kalmykia\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238422; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain tuva-news.net"; dns.query; content:"tuva-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])tuva\-news\.net$/i"; classtype:trojan-activity; sid:4238431; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain tuva-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tuva-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tuva\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238432; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain baikal-news.net"; dns.query; content:"baikal-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])baikal\-news\.net$/i"; classtype:trojan-activity; sid:4238441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain baikal-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"baikal-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])baikal\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238442; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain pskov-news.net"; dns.query; content:"pskov-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])pskov\-news\.net$/i"; classtype:trojan-activity; sid:4238451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain pskov-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pskov-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pskov\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238452; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain altay-news.net"; dns.query; content:"altay-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])altay\-news\.net$/i"; classtype:trojan-activity; sid:4238461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain altay-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"altay-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])altay\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238462; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain ingushetiya-news.net"; dns.query; content:"ingushetiya-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])ingushetiya\-news\.net$/i"; classtype:trojan-activity; sid:4238471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain ingushetiya-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ingushetiya-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ingushetiya\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238472; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain adygheya-news.net"; dns.query; content:"adygheya-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])adygheya\-news\.net$/i"; classtype:trojan-activity; sid:4238481; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain adygheya-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"adygheya-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])adygheya\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238482; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain nalchik-news.net"; dns.query; content:"nalchik-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])nalchik\-news\.net$/i"; classtype:trojan-activity; sid:4238491; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain nalchik-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nalchik-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nalchik\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238492; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain mariel-news.net"; dns.query; content:"mariel-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])mariel\-news\.net$/i"; classtype:trojan-activity; sid:4238501; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain mariel-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mariel-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mariel\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238502; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain cherkessk-news.net"; dns.query; content:"cherkessk-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])cherkessk\-news\.net$/i"; classtype:trojan-activity; sid:4238511; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain cherkessk-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cherkessk-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cherkessk\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238512; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain vladikavkaz-news.net"; dns.query; content:"vladikavkaz-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])vladikavkaz\-news\.net$/i"; classtype:trojan-activity; sid:4238521; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain vladikavkaz-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vladikavkaz-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vladikavkaz\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238522; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain abakan-news.net"; dns.query; content:"abakan-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])abakan\-news\.net$/i"; classtype:trojan-activity; sid:4238531; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain abakan-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"abakan-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])abakan\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238532; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain grozny-news.net"; dns.query; content:"grozny-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])grozny\-news\.net$/i"; classtype:trojan-activity; sid:4238541; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain grozny-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"grozny-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])grozny\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238542; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain amur-news.net"; dns.query; content:"amur-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])amur\-news\.net$/i"; classtype:trojan-activity; sid:4238551; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain amur-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"amur-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])amur\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238552; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain bryansk-news.net"; dns.query; content:"bryansk-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])bryansk\-news\.net$/i"; classtype:trojan-activity; sid:4238561; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain bryansk-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bryansk-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bryansk\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238562; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain kurgan-news.net"; dns.query; content:"kurgan-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])kurgan\-news\.net$/i"; classtype:trojan-activity; sid:4238571; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain kurgan-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kurgan-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kurgan\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238572; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain birobidzhan-news.net"; dns.query; content:"birobidzhan-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])birobidzhan\-news\.net$/i"; classtype:trojan-activity; sid:4238581; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain birobidzhan-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"birobidzhan-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])birobidzhan\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238582; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain nao-news.net"; dns.query; content:"nao-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])nao\-news\.net$/i"; classtype:trojan-activity; sid:4238591; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain nao-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nao-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nao\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238592; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain chukotka-news.net"; dns.query; content:"chukotka-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])chukotka\-news\.net$/i"; classtype:trojan-activity; sid:4238601; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain chukotka-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"chukotka-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])chukotka\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238602; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain novgorod-news.net"; dns.query; content:"novgorod-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])novgorod\-news\.net$/i"; classtype:trojan-activity; sid:4238611; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain novgorod-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"novgorod-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])novgorod\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238612; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain magadan-news.net"; dns.query; content:"magadan-news.net"; nocase; pcre: "/(^|[^A-Za-z0-9-])magadan\-news\.net$/i"; classtype:trojan-activity; sid:4238621; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain magadan-news.net"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"magadan-news.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])magadan\-news\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238622; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain novyny.kr.ua"; dns.query; content:"novyny.kr.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])novyny\.kr\.ua$/i"; classtype:trojan-activity; sid:4238631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain novyny.kr.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"novyny.kr.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])novyny\.kr\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238632; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain novyny.zt.ua"; dns.query; content:"novyny.zt.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])novyny\.zt\.ua$/i"; classtype:trojan-activity; sid:4238641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain novyny.zt.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"novyny.zt.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])novyny\.zt\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238642; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain gazeta.kharkiv.ua"; dns.query; content:"gazeta.kharkiv.ua"; nocase; pcre: "/(^|[^A-Za-z0-9-])gazeta\.kharkiv\.ua$/i"; classtype:trojan-activity; sid:4238651; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain gazeta.kharkiv.ua"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gazeta.kharkiv.ua"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gazeta\.kharkiv\.ua[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238652; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain cherkassy-news.ru"; dns.query; content:"cherkassy-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])cherkassy\-news\.ru$/i"; classtype:trojan-activity; sid:4238661; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain cherkassy-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cherkassy-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cherkassy\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238662; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain kherson-news.ru"; dns.query; content:"kherson-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])kherson\-news\.ru$/i"; classtype:trojan-activity; sid:4238671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain kherson-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kherson-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kherson\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238672; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain lnr-news.ru"; dns.query; content:"lnr-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])lnr\-news\.ru$/i"; classtype:trojan-activity; sid:4238681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain lnr-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lnr-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lnr\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238682; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain news-kharkov.ru"; dns.query; content:"news-kharkov.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])news\-kharkov\.ru$/i"; classtype:trojan-activity; sid:4238691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain news-kharkov.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"news-kharkov.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])news\-kharkov\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238692; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain poltava-news.ru"; dns.query; content:"poltava-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])poltava\-news\.ru$/i"; classtype:trojan-activity; sid:4238701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain poltava-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"poltava-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])poltava\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238702; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain vin-news.ru"; dns.query; content:"vin-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])vin\-news\.ru$/i"; classtype:trojan-activity; sid:4238711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain vin-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vin-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vin\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238712; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain zp-news.ru"; dns.query; content:"zp-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])zp\-news\.ru$/i"; classtype:trojan-activity; sid:4238721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain zp-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"zp-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])zp\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238722; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain chernigov-news.ru"; dns.query; content:"chernigov-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])chernigov\-news\.ru$/i"; classtype:trojan-activity; sid:4238731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain chernigov-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"chernigov-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])chernigov\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238732; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain dnepr-news.ru"; dns.query; content:"dnepr-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])dnepr\-news\.ru$/i"; classtype:trojan-activity; sid:4238741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain dnepr-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dnepr-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dnepr\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238742; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain dnr-news.ru"; dns.query; content:"dnr-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])dnr\-news\.ru$/i"; classtype:trojan-activity; sid:4238751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain dnr-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dnr-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dnr\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238752; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain kirovograd-news.ru"; dns.query; content:"kirovograd-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])kirovograd\-news\.ru$/i"; classtype:trojan-activity; sid:4238761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain kirovograd-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kirovograd-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kirovograd\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238762; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain news-kiev.ru"; dns.query; content:"news-kiev.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])news\-kiev\.ru$/i"; classtype:trojan-activity; sid:4238771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain news-kiev.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"news-kiev.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])news\-kiev\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238772; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain news-odessa.ru"; dns.query; content:"news-odessa.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])news\-odessa\.ru$/i"; classtype:trojan-activity; sid:4238781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain news-odessa.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"news-odessa.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])news\-odessa\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238782; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain nikolaev-news.ru"; dns.query; content:"nikolaev-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])nikolaev\-news\.ru$/i"; classtype:trojan-activity; sid:4238791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain nikolaev-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nikolaev-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nikolaev\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238792; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain sumy-news.ru"; dns.query; content:"sumy-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])sumy\-news\.ru$/i"; classtype:trojan-activity; sid:4238801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain sumy-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"sumy-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])sumy\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238802; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain zhitomir-news.ru"; dns.query; content:"zhitomir-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])zhitomir\-news\.ru$/i"; classtype:trojan-activity; sid:4238811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain zhitomir-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"zhitomir-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])zhitomir\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238812; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain berdyansk-news.ru"; dns.query; content:"berdyansk-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])berdyansk\-news\.ru$/i"; classtype:trojan-activity; sid:4238821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain berdyansk-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"berdyansk-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])berdyansk\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238822; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain donetsk-news.ru"; dns.query; content:"donetsk-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])donetsk\-news\.ru$/i"; classtype:trojan-activity; sid:4238831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain donetsk-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"donetsk-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])donetsk\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238832; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain lugansk-news.ru"; dns.query; content:"lugansk-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])lugansk\-news\.ru$/i"; classtype:trojan-activity; sid:4238841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain lugansk-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lugansk-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lugansk\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238842; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain mariupol-news.ru"; dns.query; content:"mariupol-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])mariupol\-news\.ru$/i"; classtype:trojan-activity; sid:4238851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain mariupol-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mariupol-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mariupol\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238852; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain melitopol-news.ru"; dns.query; content:"melitopol-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])melitopol\-news\.ru$/i"; classtype:trojan-activity; sid:4238861; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain melitopol-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"melitopol-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])melitopol\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238862; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain alchevsk-news.ru"; dns.query; content:"alchevsk-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])alchevsk\-news\.ru$/i"; classtype:trojan-activity; sid:4238871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain alchevsk-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"alchevsk-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])alchevsk\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238872; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain bc-news.ru"; dns.query; content:"bc-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])bc\-news\.ru$/i"; classtype:trojan-activity; sid:4238881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain bc-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bc-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bc\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238882; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain news.ru"; dns.query; content:"news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])news\.ru$/i"; classtype:trojan-activity; sid:4238891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238892; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain gorlovka-news.ru"; dns.query; content:"gorlovka-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])gorlovka\-news\.ru$/i"; classtype:trojan-activity; sid:4238901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain gorlovka-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"gorlovka-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])gorlovka\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238902; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain kramatorsk-news.ru"; dns.query; content:"kramatorsk-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])kramatorsk\-news\.ru$/i"; classtype:trojan-activity; sid:4238911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain kramatorsk-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kramatorsk-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kramatorsk\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238912; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain kremenchug-news.ru"; dns.query; content:"kremenchug-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])kremenchug\-news\.ru$/i"; classtype:trojan-activity; sid:4238921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain kremenchug-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"kremenchug-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])kremenchug\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238922; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain krivoy-rog-news.ru"; dns.query; content:"krivoy-rog-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])krivoy\-rog\-news\.ru$/i"; classtype:trojan-activity; sid:4238931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain krivoy-rog-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"krivoy-rog-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])krivoy\-rog\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238932; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain news-makeevka.ru"; dns.query; content:"news-makeevka.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])news\-makeevka\.ru$/i"; classtype:trojan-activity; sid:4238941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain news-makeevka.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"news-makeevka.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])news\-makeevka\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238942; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain nikopol-news.ru"; dns.query; content:"nikopol-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])nikopol\-news\.ru$/i"; classtype:trojan-activity; sid:4238951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain nikopol-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nikopol-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nikopol\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238952; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain pavlograd-news.ru"; dns.query; content:"pavlograd-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])pavlograd\-news\.ru$/i"; classtype:trojan-activity; sid:4238961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain pavlograd-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pavlograd-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pavlograd\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238962; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain slavyansk-news.ru"; dns.query; content:"slavyansk-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])slavyansk\-news\.ru$/i"; classtype:trojan-activity; sid:4238971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain slavyansk-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"slavyansk-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])slavyansk\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238972; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain tiraspol-news.ru"; dns.query; content:"tiraspol-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])tiraspol\-news\.ru$/i"; classtype:trojan-activity; sid:4238981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain tiraspol-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tiraspol-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tiraspol\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238982; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain norilsk-news.ru"; dns.query; content:"norilsk-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])norilsk\-news\.ru$/i"; classtype:trojan-activity; sid:4238991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain norilsk-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"norilsk-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])norilsk\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4238992; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain nabchelny-news.ru"; dns.query; content:"nabchelny-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])nabchelny\-news\.ru$/i"; classtype:trojan-activity; sid:4239001; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain nabchelny-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nabchelny-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nabchelny\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4239002; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain nk-news.ru"; dns.query; content:"nk-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])nk\-news\.ru$/i"; classtype:trojan-activity; sid:4239011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain nk-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"nk-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])nk\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4239012; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain tagil-news.ru"; dns.query; content:"tagil-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])tagil\-news\.ru$/i"; classtype:trojan-activity; sid:4239021; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain tagil-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"tagil-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])tagil\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4239022; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain news-surgut.ru"; dns.query; content:"news-surgut.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])news\-surgut\.ru$/i"; classtype:trojan-activity; sid:4239031; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain news-surgut.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"news-surgut.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])news\-surgut\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4239032; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain chernovcy-news.ru"; dns.query; content:"chernovcy-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])chernovcy\-news\.ru$/i"; classtype:trojan-activity; sid:4239041; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain chernovcy-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"chernovcy-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])chernovcy\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4239042; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain if-news.ru"; dns.query; content:"if-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])if\-news\.ru$/i"; classtype:trojan-activity; sid:4239051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain if-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"if-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])if\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4239052; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain rovno-news.ru"; dns.query; content:"rovno-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])rovno\-news\.ru$/i"; classtype:trojan-activity; sid:4239061; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain rovno-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"rovno-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])rovno\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4239062; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain volyn-news.ru"; dns.query; content:"volyn-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])volyn\-news\.ru$/i"; classtype:trojan-activity; sid:4239071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain volyn-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"volyn-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])volyn\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4239072; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain khmelnitskiy-news.ru"; dns.query; content:"khmelnitskiy-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])khmelnitskiy\-news\.ru$/i"; classtype:trojan-activity; sid:4239081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain khmelnitskiy-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"khmelnitskiy-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])khmelnitskiy\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4239082; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain lvov-news.ru"; dns.query; content:"lvov-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])lvov\-news\.ru$/i"; classtype:trojan-activity; sid:4239091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain lvov-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"lvov-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])lvov\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4239092; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain ternopol-news.ru"; dns.query; content:"ternopol-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])ternopol\-news\.ru$/i"; classtype:trojan-activity; sid:4239101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain ternopol-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ternopol-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ternopol\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4239102; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain uzhgorod-news.ru"; dns.query; content:"uzhgorod-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])uzhgorod\-news\.ru$/i"; classtype:trojan-activity; sid:4239111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain uzhgorod-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"uzhgorod-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])uzhgorod\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4239112; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain pravda-de.com"; dns.query; content:"pravda-de.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pravda\-de\.com$/i"; classtype:trojan-activity; sid:4239121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain pravda-de.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pravda-de.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pravda\-de\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4239122; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain pravda-en.com"; dns.query; content:"pravda-en.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pravda\-en\.com$/i"; classtype:trojan-activity; sid:4239131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain pravda-en.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pravda-en.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pravda\-en\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4239132; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain pravda-es.com"; dns.query; content:"pravda-es.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pravda\-es\.com$/i"; classtype:trojan-activity; sid:4239141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain pravda-es.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pravda-es.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pravda\-es\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4239142; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain pravda-fr.com"; dns.query; content:"pravda-fr.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pravda\-fr\.com$/i"; classtype:trojan-activity; sid:4239151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain pravda-fr.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pravda-fr.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pravda\-fr\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4239152; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain pravda-pl.com"; dns.query; content:"pravda-pl.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])pravda\-pl\.com$/i"; classtype:trojan-activity; sid:4239161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain pravda-pl.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"pravda-pl.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])pravda\-pl\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4239162; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain news-balashiha.ru"; dns.query; content:"news-balashiha.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])news\-balashiha\.ru$/i"; classtype:trojan-activity; sid:4239171; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain news-balashiha.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"news-balashiha.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])news\-balashiha\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4239172; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert dns any any -> any any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Domain volzhskiy-news.ru"; dns.query; content:"volzhskiy-news.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])volzhskiy\-news\.ru$/i"; classtype:trojan-activity; sid:4239181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing HTTP Domain volzhskiy-news.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"volzhskiy-news.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])volzhskiy\-news\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4239182; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert ip $HOME_NET any -> 178.21.13.3 any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing To IP: 178.21.13.3"; classtype:trojan-activity; sid:4239191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert ip $HOME_NET any -> 178.21.13.32 any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing To IP: 178.21.13.32"; classtype:trojan-activity; sid:4239201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert ip $HOME_NET any -> 178.21.13.33 any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing To IP: 178.21.13.33"; classtype:trojan-activity; sid:4239211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert ip $HOME_NET any -> 178.21.13.34 any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing To IP: 178.21.13.34"; classtype:trojan-activity; sid:4239221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert ip $HOME_NET any -> 178.21.13.35 any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing To IP: 178.21.13.35"; classtype:trojan-activity; sid:4239231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert ip $HOME_NET any -> 178.21.14.92 any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing To IP: 178.21.14.92"; classtype:trojan-activity; sid:4239241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert ip $HOME_NET any -> 178.21.14.93 any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing To IP: 178.21.14.93"; classtype:trojan-activity; sid:4239251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert ip $HOME_NET any -> 178.21.15.204 any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing To IP: 178.21.15.204"; classtype:trojan-activity; sid:4239261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert ip $HOME_NET any -> 176.99.6.152 any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing To IP: 176.99.6.152"; classtype:trojan-activity; sid:4239271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert ip $HOME_NET any -> 178.21.15.41 any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing To IP: 178.21.15.41"; classtype:trojan-activity; sid:4239281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert ip $HOME_NET any -> 178.21.15.42 any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing To IP: 178.21.15.42"; classtype:trojan-activity; sid:4239291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert ip $HOME_NET any -> 178.21.15.183 any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing To IP: 178.21.15.183"; classtype:trojan-activity; sid:4239301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert ip $HOME_NET any -> 178.21.15.85 any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Outgoing To IP: 178.21.15.85"; classtype:trojan-activity; sid:4239311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert ip 178.21.14.0/23 any -> $HOME_NET any (msg: "MISP e403 [misp-galaxy:country="russia",misp-galaxy:target-information="France",misp-galaxy:target-information="Switzerland",tlp:white,misp-galaxy:target-information="Austria",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Spain",misp-galaxy:target-information="United States"] Incoming From IP: 178.21.14.0/23"; classtype:trojan-activity; sid:4239351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/403;) alert http $HOME_NET any -> 107.172.79.5 $HTTP_PORTS (msg: "MISP e404 [misp-galaxy:country="iran",misp-galaxy:target-information="Palestine",tlp:white] Outgoing URL http|3a|//107.172.79.5/h51z7qpNe35DecAvOKdf/index.php?dC1Zk3F=0193F0800193F080"; flow:to_server,established; http.header; content:"107.172.79.5"; fast_pattern; nocase; http.uri; content:"/h51z7qpNe35DecAvOKdf/index.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4240671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/404;) alert http $HOME_NET any -> 107.172.79.5 $HTTP_PORTS (msg: "MISP e404 [misp-galaxy:country="iran",misp-galaxy:target-information="Palestine",tlp:white] Outgoing URL http|3a|//107.172.79.5/h51z7qpNe35DecAvOKdf/index.php?dC1Zk3F=00AFF00000AFF000"; flow:to_server,established; http.header; content:"107.172.79.5"; fast_pattern; nocase; http.uri; content:"/h51z7qpNe35DecAvOKdf/index.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4240681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/404;) alert http $HOME_NET any -> 107.172.79.5 $HTTP_PORTS (msg: "MISP e404 [misp-galaxy:country="iran",misp-galaxy:target-information="Palestine",tlp:white] Outgoing URL http|3a|//107.172.79.5/h51z7qpNe35DecAvOKdf/index.php?dC1Zk3F=0018EAE00018EAE0"; flow:to_server,established; http.header; content:"107.172.79.5"; fast_pattern; nocase; http.uri; content:"/h51z7qpNe35DecAvOKdf/index.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4240691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/404;) alert ip $HOME_NET any -> 107.172.79.5 any (msg: "MISP e404 [misp-galaxy:country="iran",misp-galaxy:target-information="Palestine",tlp:white] Outgoing To IP: 107.172.79.5"; classtype:trojan-activity; sid:4240701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/404;) alert ip $HOME_NET any -> 178.162.227.180 any (msg: "MISP e405 [misp-galaxy:stix-2.1-attack-pattern="9a280255-c770-4d42-ae50-aff1896ebded"] Outgoing To IP: 178.162.227.180"; classtype:trojan-activity; sid:4240831; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/405;) alert ip $HOME_NET any -> 185.162.235.206 any (msg: "MISP e405 [misp-galaxy:stix-2.1-attack-pattern="9a280255-c770-4d42-ae50-aff1896ebded"] Outgoing To IP: 185.162.235.206"; classtype:trojan-activity; sid:4240851; rev:1; priority:4; reference:url,https://misp.botvrij.eu/events/view/405;) alert dns any any -> any any (msg: "MISP e406 [misp-galaxy:country="belarus",misp-galaxy:country="russia",misp-galaxy:target-information="Belgium",misp-galaxy:target-information="Czech Republic",misp-galaxy:target-information="France",misp-galaxy:target-information="Georgia",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Ukraine",misp-galaxy:target-information="United Kingdom",tlp:white,misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Exploitation for Credential Access - T1212",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Input Capture - T1056",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Email Collection - T1114",misp-galaxy:mitre-attack-pattern="Phishing - T1566"] Domain bugiplaysec.com"; dns.query; content:"bugiplaysec.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])bugiplaysec\.com$/i"; classtype:trojan-activity; sid:4240901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/406;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e406 [misp-galaxy:country="belarus",misp-galaxy:country="russia",misp-galaxy:target-information="Belgium",misp-galaxy:target-information="Czech Republic",misp-galaxy:target-information="France",misp-galaxy:target-information="Georgia",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Ukraine",misp-galaxy:target-information="United Kingdom",tlp:white,misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Exploitation for Credential Access - T1212",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Input Capture - T1056",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Email Collection - T1114",misp-galaxy:mitre-attack-pattern="Phishing - T1566"] Outgoing HTTP Domain bugiplaysec.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bugiplaysec.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bugiplaysec\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4240902; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/406;) alert dns any any -> any any (msg: "MISP e406 [misp-galaxy:country="belarus",misp-galaxy:country="russia",misp-galaxy:target-information="Belgium",misp-galaxy:target-information="Czech Republic",misp-galaxy:target-information="France",misp-galaxy:target-information="Georgia",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Ukraine",misp-galaxy:target-information="United Kingdom",tlp:white,misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Exploitation for Credential Access - T1212",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Input Capture - T1056",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Email Collection - T1114",misp-galaxy:mitre-attack-pattern="Phishing - T1566"] Domain hitsbitsx.com"; dns.query; content:"hitsbitsx.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])hitsbitsx\.com$/i"; classtype:trojan-activity; sid:4240911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/406;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e406 [misp-galaxy:country="belarus",misp-galaxy:country="russia",misp-galaxy:target-information="Belgium",misp-galaxy:target-information="Czech Republic",misp-galaxy:target-information="France",misp-galaxy:target-information="Georgia",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Ukraine",misp-galaxy:target-information="United Kingdom",tlp:white,misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Exploitation for Credential Access - T1212",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Input Capture - T1056",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Email Collection - T1114",misp-galaxy:mitre-attack-pattern="Phishing - T1566"] Outgoing HTTP Domain hitsbitsx.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"hitsbitsx.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])hitsbitsx\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4240912; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/406;) alert dns any any -> any any (msg: "MISP e406 [misp-galaxy:country="belarus",misp-galaxy:country="russia",misp-galaxy:target-information="Belgium",misp-galaxy:target-information="Czech Republic",misp-galaxy:target-information="France",misp-galaxy:target-information="Georgia",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Ukraine",misp-galaxy:target-information="United Kingdom",tlp:white,misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Exploitation for Credential Access - T1212",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Input Capture - T1056",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Email Collection - T1114",misp-galaxy:mitre-attack-pattern="Phishing - T1566"] Domain ocsp-reloads.com"; dns.query; content:"ocsp-reloads.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ocsp\-reloads\.com$/i"; classtype:trojan-activity; sid:4240921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/406;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e406 [misp-galaxy:country="belarus",misp-galaxy:country="russia",misp-galaxy:target-information="Belgium",misp-galaxy:target-information="Czech Republic",misp-galaxy:target-information="France",misp-galaxy:target-information="Georgia",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Ukraine",misp-galaxy:target-information="United Kingdom",tlp:white,misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Exploitation for Credential Access - T1212",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Input Capture - T1056",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Email Collection - T1114",misp-galaxy:mitre-attack-pattern="Phishing - T1566"] Outgoing HTTP Domain ocsp-reloads.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ocsp-reloads.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ocsp\-reloads\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4240922; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/406;) alert dns any any -> any any (msg: "MISP e406 [misp-galaxy:country="belarus",misp-galaxy:country="russia",misp-galaxy:target-information="Belgium",misp-galaxy:target-information="Czech Republic",misp-galaxy:target-information="France",misp-galaxy:target-information="Georgia",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Ukraine",misp-galaxy:target-information="United Kingdom",tlp:white,misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Exploitation for Credential Access - T1212",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Input Capture - T1056",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Email Collection - T1114",misp-galaxy:mitre-attack-pattern="Phishing - T1566"] Domain recsecas.com"; dns.query; content:"recsecas.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])recsecas\.com$/i"; classtype:trojan-activity; sid:4240931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/406;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e406 [misp-galaxy:country="belarus",misp-galaxy:country="russia",misp-galaxy:target-information="Belgium",misp-galaxy:target-information="Czech Republic",misp-galaxy:target-information="France",misp-galaxy:target-information="Georgia",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Ukraine",misp-galaxy:target-information="United Kingdom",tlp:white,misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Exploitation for Credential Access - T1212",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Input Capture - T1056",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Email Collection - T1114",misp-galaxy:mitre-attack-pattern="Phishing - T1566"] Outgoing HTTP Domain recsecas.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"recsecas.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])recsecas\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4240932; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/406;) alert ip $HOME_NET any -> 38.180.2.23 any (msg: "MISP e406 [misp-galaxy:country="belarus",misp-galaxy:country="russia",misp-galaxy:target-information="Belgium",misp-galaxy:target-information="Czech Republic",misp-galaxy:target-information="France",misp-galaxy:target-information="Georgia",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Ukraine",misp-galaxy:target-information="United Kingdom",tlp:white,misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Exploitation for Credential Access - T1212",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Input Capture - T1056",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Email Collection - T1114",misp-galaxy:mitre-attack-pattern="Phishing - T1566"] Outgoing To IP: 38.180.2.23"; classtype:trojan-activity; sid:4240941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/406;) alert ip $HOME_NET any -> 38.180.3.57 any (msg: "MISP e406 [misp-galaxy:country="belarus",misp-galaxy:country="russia",misp-galaxy:target-information="Belgium",misp-galaxy:target-information="Czech Republic",misp-galaxy:target-information="France",misp-galaxy:target-information="Georgia",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Ukraine",misp-galaxy:target-information="United Kingdom",tlp:white,misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Exploitation for Credential Access - T1212",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Input Capture - T1056",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Email Collection - T1114",misp-galaxy:mitre-attack-pattern="Phishing - T1566"] Outgoing To IP: 38.180.3.57"; classtype:trojan-activity; sid:4240951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/406;) alert ip $HOME_NET any -> 38.180.76.31 any (msg: "MISP e406 [misp-galaxy:country="belarus",misp-galaxy:country="russia",misp-galaxy:target-information="Belgium",misp-galaxy:target-information="Czech Republic",misp-galaxy:target-information="France",misp-galaxy:target-information="Georgia",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Ukraine",misp-galaxy:target-information="United Kingdom",tlp:white,misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Exploitation for Credential Access - T1212",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Input Capture - T1056",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Email Collection - T1114",misp-galaxy:mitre-attack-pattern="Phishing - T1566"] Outgoing To IP: 38.180.76.31"; classtype:trojan-activity; sid:4240961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/406;) alert ip $HOME_NET any -> 86.105.18.113 any (msg: "MISP e406 [misp-galaxy:country="belarus",misp-galaxy:country="russia",misp-galaxy:target-information="Belgium",misp-galaxy:target-information="Czech Republic",misp-galaxy:target-information="France",misp-galaxy:target-information="Georgia",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Ukraine",misp-galaxy:target-information="United Kingdom",tlp:white,misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Exploitation for Credential Access - T1212",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Input Capture - T1056",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Email Collection - T1114",misp-galaxy:mitre-attack-pattern="Phishing - T1566"] Outgoing To IP: 86.105.18.113"; classtype:trojan-activity; sid:4240971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/406;) alert ip $HOME_NET any -> 176.97.66.57 any (msg: "MISP e406 [misp-galaxy:country="belarus",misp-galaxy:country="russia",misp-galaxy:target-information="Belgium",misp-galaxy:target-information="Czech Republic",misp-galaxy:target-information="France",misp-galaxy:target-information="Georgia",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Ukraine",misp-galaxy:target-information="United Kingdom",tlp:white,misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Exploitation for Credential Access - T1212",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Input Capture - T1056",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Email Collection - T1114",misp-galaxy:mitre-attack-pattern="Phishing - T1566"] Outgoing To IP: 176.97.66.57"; classtype:trojan-activity; sid:4240981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/406;) alert ip $HOME_NET any -> 176.97.76.118 any (msg: "MISP e406 [misp-galaxy:country="belarus",misp-galaxy:country="russia",misp-galaxy:target-information="Belgium",misp-galaxy:target-information="Czech Republic",misp-galaxy:target-information="France",misp-galaxy:target-information="Georgia",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Ukraine",misp-galaxy:target-information="United Kingdom",tlp:white,misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Exploitation for Credential Access - T1212",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Input Capture - T1056",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Email Collection - T1114",misp-galaxy:mitre-attack-pattern="Phishing - T1566"] Outgoing To IP: 176.97.76.118"; classtype:trojan-activity; sid:4240991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/406;) alert ip $HOME_NET any -> 176.97.76.129 any (msg: "MISP e406 [misp-galaxy:country="belarus",misp-galaxy:country="russia",misp-galaxy:target-information="Belgium",misp-galaxy:target-information="Czech Republic",misp-galaxy:target-information="France",misp-galaxy:target-information="Georgia",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Ukraine",misp-galaxy:target-information="United Kingdom",tlp:white,misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Exploitation for Credential Access - T1212",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Input Capture - T1056",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Email Collection - T1114",misp-galaxy:mitre-attack-pattern="Phishing - T1566"] Outgoing To IP: 176.97.76.129"; classtype:trojan-activity; sid:4241001; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/406;) alert ip $HOME_NET any -> 198.50.170.72 any (msg: "MISP e406 [misp-galaxy:country="belarus",misp-galaxy:country="russia",misp-galaxy:target-information="Belgium",misp-galaxy:target-information="Czech Republic",misp-galaxy:target-information="France",misp-galaxy:target-information="Georgia",misp-galaxy:target-information="Germany",misp-galaxy:target-information="Poland",misp-galaxy:target-information="Ukraine",misp-galaxy:target-information="United Kingdom",tlp:white,misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Exploitation for Credential Access - T1212",misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571",misp-galaxy:mitre-attack-pattern="Input Capture - T1056",misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078",misp-galaxy:mitre-attack-pattern="Email Collection - T1114",misp-galaxy:mitre-attack-pattern="Phishing - T1566"] Outgoing To IP: 198.50.170.72"; classtype:trojan-activity; sid:4241011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/406;) alert ip $HOME_NET any -> 104.129.55.103 2224 (msg: "MISP e407 [tlp:white,misp-galaxy:malpedia="Pikabot"] Outgoing To IP: 104.129.55.103|2224"; classtype:trojan-activity; sid:4241071; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/407;) alert ip $HOME_NET any -> 178.18.246.136 2078 (msg: "MISP e407 [tlp:white,misp-galaxy:malpedia="Pikabot"] Outgoing To IP: 178.18.246.136|2078"; classtype:trojan-activity; sid:4241081; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/407;) alert ip $HOME_NET any -> 158.220.80.167 2967 (msg: "MISP e407 [tlp:white,misp-galaxy:malpedia="Pikabot"] Outgoing To IP: 158.220.80.167|2967"; classtype:trojan-activity; sid:4241091; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/407;) alert ip $HOME_NET any -> 104.129.55.104 2223 (msg: "MISP e407 [tlp:white,misp-galaxy:malpedia="Pikabot"] Outgoing To IP: 104.129.55.104|2223"; classtype:trojan-activity; sid:4241101; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/407;) alert ip $HOME_NET any -> 23.226.138.161 5242 (msg: "MISP e407 [tlp:white,misp-galaxy:malpedia="Pikabot"] Outgoing To IP: 23.226.138.161|5242"; classtype:trojan-activity; sid:4241111; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/407;) alert ip $HOME_NET any -> 37.60.242.85 9785 (msg: "MISP e407 [tlp:white,misp-galaxy:malpedia="Pikabot"] Outgoing To IP: 37.60.242.85|9785"; classtype:trojan-activity; sid:4241121; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/407;) alert ip $HOME_NET any -> 23.226.138.143 2083 (msg: "MISP e407 [tlp:white,misp-galaxy:malpedia="Pikabot"] Outgoing To IP: 23.226.138.143|2083"; classtype:trojan-activity; sid:4241131; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/407;) alert ip $HOME_NET any -> 37.60.242.86 2967 (msg: "MISP e407 [tlp:white,misp-galaxy:malpedia="Pikabot"] Outgoing To IP: 37.60.242.86|2967"; classtype:trojan-activity; sid:4241141; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/407;) alert ip $HOME_NET any -> 85.239.243.155 5000 (msg: "MISP e407 [tlp:white,misp-galaxy:malpedia="Pikabot"] Outgoing To IP: 85.239.243.155|5000"; classtype:trojan-activity; sid:4241151; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/407;) alert ip $HOME_NET any -> 158.220.80.157 9785 (msg: "MISP e407 [tlp:white,misp-galaxy:malpedia="Pikabot"] Outgoing To IP: 158.220.80.157|9785"; classtype:trojan-activity; sid:4241161; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/407;) alert ip $HOME_NET any -> 65.20.66.218 5938 (msg: "MISP e407 [tlp:white,misp-galaxy:malpedia="Pikabot"] Outgoing To IP: 65.20.66.218|5938"; classtype:trojan-activity; sid:4241171; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/407;) alert ip $HOME_NET any -> 95.179.191.137 5938 (msg: "MISP e407 [tlp:white,misp-galaxy:malpedia="Pikabot"] Outgoing To IP: 95.179.191.137|5938"; classtype:trojan-activity; sid:4241181; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/407;) alert ip $HOME_NET any -> 139.84.237.229 2967 (msg: "MISP e407 [tlp:white,misp-galaxy:malpedia="Pikabot"] Outgoing To IP: 139.84.237.229|2967"; classtype:trojan-activity; sid:4241191; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/407;) alert dns any any -> any any (msg: "MISP e408 [misp-galaxy:sector="Finance",tlp:white] Domain fxbulls.ru"; dns.query; content:"fxbulls.ru"; nocase; pcre: "/(^|[^A-Za-z0-9-])fxbulls\.ru$/i"; classtype:trojan-activity; sid:4241401; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/408;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e408 [misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain fxbulls.ru"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"fxbulls.ru"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])fxbulls\.ru[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4241402; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/408;) alert dns any any -> any any (msg: "MISP e408 [misp-galaxy:sector="Finance",tlp:white] Domain 87iavv.com"; dns.query; content:"87iavv.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])87iavv\.com$/i"; classtype:trojan-activity; sid:4241411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/408;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e408 [misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain 87iavv.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"87iavv.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])87iavv\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4241412; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/408;) alert dns any any -> any any (msg: "MISP e408 [misp-galaxy:sector="Finance",tlp:white] Domain unfawjelesst322.com"; dns.query; content:"unfawjelesst322.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])unfawjelesst322\.com$/i"; classtype:trojan-activity; sid:4241421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/408;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e408 [misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain unfawjelesst322.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"unfawjelesst322.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])unfawjelesst322\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4241422; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/408;) alert dns any any -> any any (msg: "MISP e408 [misp-galaxy:sector="Finance",tlp:white] Domain p2oaviwt39ui.com"; dns.query; content:"p2oaviwt39ui.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])p2oaviwt39ui\.com$/i"; classtype:trojan-activity; sid:4241431; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/408;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e408 [misp-galaxy:sector="Finance",tlp:white] Outgoing HTTP Domain p2oaviwt39ui.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"p2oaviwt39ui.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])p2oaviwt39ui\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4241432; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/408;) alert ip $HOME_NET any -> 84.32.189.74 any (msg: "MISP e408 [misp-galaxy:sector="Finance",tlp:white] Outgoing To IP: 84.32.189.74"; classtype:trojan-activity; sid:4241441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/408;) alert ip $HOME_NET any -> 179.43.172.127 any (msg: "MISP e408 [misp-galaxy:sector="Finance",tlp:white] Outgoing To IP: 179.43.172.127"; classtype:trojan-activity; sid:4241451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/408;) alert ip $HOME_NET any -> 179.43.172.191 any (msg: "MISP e408 [misp-galaxy:sector="Finance",tlp:white] Outgoing To IP: 179.43.172.191"; classtype:trojan-activity; sid:4241461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/408;) alert ip $HOME_NET any -> 64.31.63.70 any (msg: "MISP e408 [misp-galaxy:sector="Finance",tlp:white] Outgoing To IP: 64.31.63.70"; classtype:trojan-activity; sid:4241471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/408;) alert ip $HOME_NET any -> 64.31.63.194 any (msg: "MISP e408 [misp-galaxy:sector="Finance",tlp:white] Outgoing To IP: 64.31.63.194"; classtype:trojan-activity; sid:4241481; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/408;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Outgoing URL https|3a|//getfiledown.com/utdkt"; tls.sni; content:"getfiledown.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4242671; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Outgoing URL https|3a|//getfiledown.com/vgbskgyu"; tls.sni; content:"getfiledown.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4242681; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Outgoing URL https|3a|//getfilefox.com/enmjgwvt"; tls.sni; content:"getfilefox.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4242691; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert dns any any -> any any (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Domain ivibers.com"; dns.query; content:"ivibers.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])ivibers\.com$/i"; classtype:trojan-activity; sid:4242701; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Outgoing HTTP Domain ivibers.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ivibers.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ivibers\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4242702; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert dns any any -> any any (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Domain meetviberapi.com"; dns.query; content:"meetviberapi.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])meetviberapi\.com$/i"; classtype:trojan-activity; sid:4242711; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Outgoing HTTP Domain meetviberapi.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"meetviberapi.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])meetviberapi\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4242712; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert dns any any -> any any (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Domain iamc2c2.com"; dns.query; content:"iamc2c2.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])iamc2c2\.com$/i"; classtype:trojan-activity; sid:4242721; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Outgoing HTTP Domain iamc2c2.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"iamc2c2.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])iamc2c2\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4242722; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert dns any any -> any any (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Domain thisistestc2.com"; dns.query; content:"thisistestc2.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])thisistestc2\.com$/i"; classtype:trojan-activity; sid:4242731; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Outgoing HTTP Domain thisistestc2.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"thisistestc2.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])thisistestc2\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4242732; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert dns any any -> any any (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Domain electrictulsa.com"; dns.query; content:"electrictulsa.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])electrictulsa\.com$/i"; classtype:trojan-activity; sid:4242741; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Outgoing HTTP Domain electrictulsa.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"electrictulsa.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])electrictulsa\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4242742; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert dns any any -> any any (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Domain mongolianshipregistrar.com"; dns.query; content:"mongolianshipregistrar.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mongolianshipregistrar\.com$/i"; classtype:trojan-activity; sid:4242751; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Outgoing HTTP Domain mongolianshipregistrar.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mongolianshipregistrar.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mongolianshipregistrar\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4242752; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert ip $HOME_NET any -> 103.107.104.37 443 (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Outgoing To IP: 103.107.104.37|443"; classtype:trojan-activity; sid:4242761; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert ip $HOME_NET any -> 149.104.12.64 443 (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Outgoing To IP: 149.104.12.64|443"; classtype:trojan-activity; sid:4242771; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert ip $HOME_NET any -> 185.82.216.184 443 (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Outgoing To IP: 185.82.216.184|443"; classtype:trojan-activity; sid:4242781; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert ip $HOME_NET any -> 195.211.96.99 443 (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Outgoing To IP: 195.211.96.99|443"; classtype:trojan-activity; sid:4242791; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert ip $HOME_NET any -> 195.123.246.26 22 (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Outgoing To IP: 195.123.246.26|22"; classtype:trojan-activity; sid:4242801; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert ip $HOME_NET any -> 45.83.236.105 443 (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Outgoing To IP: 45.83.236.105|443"; classtype:trojan-activity; sid:4242811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert ip $HOME_NET any -> 45.131.179.179 22 (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Outgoing To IP: 45.131.179.179|22"; classtype:trojan-activity; sid:4242821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert ip $HOME_NET any -> 45.131.179.179 443 (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Outgoing To IP: 45.131.179.179|443"; classtype:trojan-activity; sid:4242831; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert ip $HOME_NET any -> 45.131.179.179 5938 (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Outgoing To IP: 45.131.179.179|5938"; classtype:trojan-activity; sid:4242841; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert ip $HOME_NET any -> 103.192.226.46 443 (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Outgoing To IP: 103.192.226.46|443"; classtype:trojan-activity; sid:4242851; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert ip $HOME_NET any -> 154.204.27.181 80 (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Outgoing To IP: 154.204.27.181|80"; classtype:trojan-activity; sid:4242861; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert ip $HOME_NET any -> 154.204.27.181 110 (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Outgoing To IP: 154.204.27.181|110"; classtype:trojan-activity; sid:4242871; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert ip $HOME_NET any -> 103.56.53.120 80 (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Outgoing To IP: 103.56.53.120|80"; classtype:trojan-activity; sid:4242881; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert ip $HOME_NET any -> 103.56.53.120 8080 (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Outgoing To IP: 103.56.53.120|8080"; classtype:trojan-activity; sid:4242891; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert ip $HOME_NET any -> 176.113.69.91 443 (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Outgoing To IP: 176.113.69.91|443"; classtype:trojan-activity; sid:4242901; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert ip $HOME_NET any -> 45.251.240.55 443 (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Outgoing To IP: 45.251.240.55|443"; classtype:trojan-activity; sid:4242911; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert ip $HOME_NET any -> 45.251.240.55 8080 (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Outgoing To IP: 45.251.240.55|8080"; classtype:trojan-activity; sid:4242921; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert ip $HOME_NET any -> 149.104.11.29 443 (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Outgoing To IP: 149.104.11.29|443"; classtype:trojan-activity; sid:4242931; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert dns any any -> any any (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Hostname web.bonuscave.com"; dns.query; content:"web.bonuscave.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])web\.bonuscave\.com$/i"; classtype:trojan-activity; sid:4242941; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Outgoing HTTP Hostname web.bonuscave.com"; flow:to_server,established; http.header; content: "Host|3a| web.bonuscave.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])web\.bonuscave\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4242942; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert dns any any -> any any (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Hostname www.markplay.net"; dns.query; content:"www.markplay.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.markplay\.net$/i"; classtype:trojan-activity; sid:4242951; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Outgoing HTTP Hostname www.markplay.net"; flow:to_server,established; http.header; content: "Host|3a| www.markplay.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])www\.markplay\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4242952; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert dns any any -> any any (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Hostname images.markplay.net"; dns.query; content:"images.markplay.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])images\.markplay\.net$/i"; classtype:trojan-activity; sid:4242961; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Outgoing HTTP Hostname images.markplay.net"; flow:to_server,established; http.header; content: "Host|3a| images.markplay.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])images\.markplay\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4242962; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert dns any any -> any any (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Hostname news.comsnews.com"; dns.query; content:"news.comsnews.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])news\.comsnews\.com$/i"; classtype:trojan-activity; sid:4242971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Outgoing HTTP Hostname news.comsnews.com"; flow:to_server,established; http.header; content: "Host|3a| news.comsnews.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])news\.comsnews\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4242972; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert dns any any -> any any (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Hostname images.kiidcloud.com"; dns.query; content:"images.kiidcloud.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])images\.kiidcloud\.com$/i"; classtype:trojan-activity; sid:4242981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e409 [tlp:white,misp-galaxy:threat-actor="MUSTANG PANDA",misp-galaxy:target-information="Malaysia",misp-galaxy:target-information="Taiwan",misp-galaxy:target-information="Vietnam",misp-galaxy:mitre-attack-pattern="Phishing - T1566",misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"] Outgoing HTTP Hostname images.kiidcloud.com"; flow:to_server,established; http.header; content: "Host|3a| images.kiidcloud.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])images\.kiidcloud\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4242982; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/409;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Domain 1stemployer.com"; dns.query; content:"1stemployer.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])1stemployer\.com$/i"; classtype:trojan-activity; sid:4243591; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Domain 1stemployer.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"1stemployer.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])1stemployer\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243592; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname birngthemhomenow.co.il"; dns.query; content:"birngthemhomenow.co.il"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])birngthemhomenow\.co\.il$/i"; classtype:trojan-activity; sid:4243601; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname birngthemhomenow.co.il"; flow:to_server,established; http.header; content: "Host|3a| birngthemhomenow.co.il"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])birngthemhomenow\.co\.il[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243602; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Domain cashcloudservices.com"; dns.query; content:"cashcloudservices.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])cashcloudservices\.com$/i"; classtype:trojan-activity; sid:4243611; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Domain cashcloudservices.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cashcloudservices.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cashcloudservices\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243612; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Domain jupyternotebookcollections.com"; dns.query; content:"jupyternotebookcollections.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])jupyternotebookcollections\.com$/i"; classtype:trojan-activity; sid:4243621; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Domain jupyternotebookcollections.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"jupyternotebookcollections.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])jupyternotebookcollections\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243622; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Domain notebooktextcheckings.com"; dns.query; content:"notebooktextcheckings.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])notebooktextcheckings\.com$/i"; classtype:trojan-activity; sid:4243631; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Domain notebooktextcheckings.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"notebooktextcheckings.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])notebooktextcheckings\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243632; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname teledyneflir.com.de"; dns.query; content:"teledyneflir.com.de"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])teledyneflir\.com\.de$/i"; classtype:trojan-activity; sid:4243641; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname teledyneflir.com.de"; flow:to_server,established; http.header; content: "Host|3a| teledyneflir.com.de"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])teledyneflir\.com\.de[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243642; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Domain vsliveagent.com"; dns.query; content:"vsliveagent.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])vsliveagent\.com$/i"; classtype:trojan-activity; sid:4243651; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Domain vsliveagent.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"vsliveagent.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])vsliveagent\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243652; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Domain xboxplayservice.com"; dns.query; content:"xboxplayservice.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])xboxplayservice\.com$/i"; classtype:trojan-activity; sid:4243661; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Domain xboxplayservice.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"xboxplayservice.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])xboxplayservice\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243662; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname airconnectionapi.azurewebsites.net"; dns.query; content:"airconnectionapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])airconnectionapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4243671; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname airconnectionapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| airconnectionapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])airconnectionapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243672; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname airconnectionsapi.azurewebsites.net"; dns.query; content:"airconnectionsapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])airconnectionsapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4243681; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname airconnectionsapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| airconnectionsapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])airconnectionsapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243682; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname airconnectionsapijson.azurewebsites.net"; dns.query; content:"airconnectionsapijson.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])airconnectionsapijson\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4243691; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname airconnectionsapijson.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| airconnectionsapijson.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])airconnectionsapijson\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243692; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname airgadgetsolution.azurewebsites.net"; dns.query; content:"airgadgetsolution.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])airgadgetsolution\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4243701; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname airgadgetsolution.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| airgadgetsolution.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])airgadgetsolution\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243702; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname airgadgetsolutions.azurewebsites.net"; dns.query; content:"airgadgetsolutions.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])airgadgetsolutions\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4243711; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname airgadgetsolutions.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| airgadgetsolutions.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])airgadgetsolutions\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243712; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname altnametestapi.azurewebsites.net"; dns.query; content:"altnametestapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])altnametestapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4243721; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname altnametestapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| altnametestapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])altnametestapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243722; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname answerssurveytest.azurewebsites.net"; dns.query; content:"answerssurveytest.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])answerssurveytest\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4243731; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname answerssurveytest.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| answerssurveytest.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])answerssurveytest\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243732; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname apphrquestion.azurewebsites.net"; dns.query; content:"apphrquestion.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])apphrquestion\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4243741; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname apphrquestion.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| apphrquestion.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])apphrquestion\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243742; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname apphrquestions.azurewebsites.net"; dns.query; content:"apphrquestions.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])apphrquestions\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4243751; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname apphrquestions.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| apphrquestions.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])apphrquestions\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243752; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname apphrquizapi.azurewebsites.net"; dns.query; content:"apphrquizapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])apphrquizapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4243761; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname apphrquizapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| apphrquizapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])apphrquizapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243762; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname arquestionsapi.azurewebsites.net"; dns.query; content:"arquestionsapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])arquestionsapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4243771; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname arquestionsapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| arquestionsapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])arquestionsapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243772; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname arquestions.azurewebsites.net"; dns.query; content:"arquestions.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])arquestions\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4243781; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname arquestions.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| arquestions.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])arquestions\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243782; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname audiomanagerapi.azurewebsites.net"; dns.query; content:"audiomanagerapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])audiomanagerapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4243791; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname audiomanagerapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| audiomanagerapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])audiomanagerapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243792; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname audioservicetestapi.azurewebsites.net"; dns.query; content:"audioservicetestapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])audioservicetestapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4243801; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname audioservicetestapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| audioservicetestapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])audioservicetestapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243802; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname blognewsalphaapijson.azurewebsites.net"; dns.query; content:"blognewsalphaapijson.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])blognewsalphaapijson\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4243811; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname blognewsalphaapijson.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| blognewsalphaapijson.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])blognewsalphaapijson\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243812; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname blogvolleyballstatusapi.azurewebsites.net"; dns.query; content:"blogvolleyballstatusapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])blogvolleyballstatusapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4243821; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname blogvolleyballstatusapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| blogvolleyballstatusapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])blogvolleyballstatusapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243822; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname blogvolleyballstatus.azurewebsites.net"; dns.query; content:"blogvolleyballstatus.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])blogvolleyballstatus\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4243831; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname blogvolleyballstatus.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| blogvolleyballstatus.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])blogvolleyballstatus\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243832; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname boeisurveyapplications.azurewebsites.net"; dns.query; content:"boeisurveyapplications.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])boeisurveyapplications\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4243841; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname boeisurveyapplications.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| boeisurveyapplications.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])boeisurveyapplications\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243842; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname browsercheckap.azurewebsites.net"; dns.query; content:"browsercheckap.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])browsercheckap\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4243851; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname browsercheckap.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| browsercheckap.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])browsercheckap\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243852; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname browsercheckingapi.azurewebsites.net"; dns.query; content:"browsercheckingapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])browsercheckingapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4243861; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname browsercheckingapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| browsercheckingapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])browsercheckingapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243862; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname browsercheckjson.azurewebsites.net"; dns.query; content:"browsercheckjson.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])browsercheckjson\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4243871; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname browsercheckjson.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| browsercheckjson.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])browsercheckjson\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243872; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname changequestionstypeapi.azurewebsites.net"; dns.query; content:"changequestionstypeapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])changequestionstypeapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4243881; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname changequestionstypeapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| changequestionstypeapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])changequestionstypeapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243882; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname changequestionstypejsonapi.azurewebsites.net"; dns.query; content:"changequestionstypejsonapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])changequestionstypejsonapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4243891; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname changequestionstypejsonapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| changequestionstypejsonapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])changequestionstypejsonapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243892; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname changequestiontypesapi.azurewebsites.net"; dns.query; content:"changequestiontypesapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])changequestiontypesapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4243901; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname changequestiontypesapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| changequestiontypesapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])changequestiontypesapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243902; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname changequestiontypes.azurewebsites.net"; dns.query; content:"changequestiontypes.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])changequestiontypes\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4243911; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname changequestiontypes.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| changequestiontypes.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])changequestiontypes\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243912; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname checkapicountryquestions.azurewebsites.net"; dns.query; content:"checkapicountryquestions.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])checkapicountryquestions\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4243921; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname checkapicountryquestions.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| checkapicountryquestions.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])checkapicountryquestions\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243922; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname checkapicountryquestionsjson.azurewebsites.net"; dns.query; content:"checkapicountryquestionsjson.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])checkapicountryquestionsjson\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4243931; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname checkapicountryquestionsjson.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| checkapicountryquestionsjson.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])checkapicountryquestionsjson\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243932; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname checkservicecustomerapi.azurewebsites.net"; dns.query; content:"checkservicecustomerapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])checkservicecustomerapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4243941; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname checkservicecustomerapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| checkservicecustomerapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])checkservicecustomerapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243942; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname coffeeonlineshop.azurewebsites.net"; dns.query; content:"coffeeonlineshop.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])coffeeonlineshop\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4243951; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname coffeeonlineshop.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| coffeeonlineshop.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])coffeeonlineshop\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243952; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname coffeeonlineshoping.azurewebsites.net"; dns.query; content:"coffeeonlineshoping.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])coffeeonlineshoping\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4243961; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname coffeeonlineshoping.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| coffeeonlineshoping.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])coffeeonlineshoping\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243962; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname connectairapijson.azurewebsites.net"; dns.query; content:"connectairapijson.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])connectairapijson\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4243971; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname connectairapijson.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| connectairapijson.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])connectairapijson\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243972; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname connectionhandlerapi.azurewebsites.net"; dns.query; content:"connectionhandlerapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])connectionhandlerapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4243981; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname connectionhandlerapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| connectionhandlerapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])connectionhandlerapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243982; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname countrybasedquestions.azurewebsites.net"; dns.query; content:"countrybasedquestions.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])countrybasedquestions\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4243991; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname countrybasedquestions.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| countrybasedquestions.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])countrybasedquestions\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4243992; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname customercareserviceapi.azurewebsites.net"; dns.query; content:"customercareserviceapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])customercareserviceapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244001; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname customercareserviceapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| customercareserviceapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])customercareserviceapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244002; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname customercareservice.azurewebsites.net"; dns.query; content:"customercareservice.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])customercareservice\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244011; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname customercareservice.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| customercareservice.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])customercareservice\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244012; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname emiratescheckapi.azurewebsites.net"; dns.query; content:"emiratescheckapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])emiratescheckapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244021; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname emiratescheckapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| emiratescheckapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])emiratescheckapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244022; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname emiratescheckapijson.azurewebsites.net"; dns.query; content:"emiratescheckapijson.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])emiratescheckapijson\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244031; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname emiratescheckapijson.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| emiratescheckapijson.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])emiratescheckapijson\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244032; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname engineeringrssfeed.azurewebsites.net"; dns.query; content:"engineeringrssfeed.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])engineeringrssfeed\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244041; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname engineeringrssfeed.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| engineeringrssfeed.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])engineeringrssfeed\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244042; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname engineeringssfeed.azurewebsites.net"; dns.query; content:"engineeringssfeed.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])engineeringssfeed\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244051; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname engineeringssfeed.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| engineeringssfeed.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])engineeringssfeed\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244052; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname exchtestcheckingapi.azurewebsites.net"; dns.query; content:"exchtestcheckingapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])exchtestcheckingapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244061; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname exchtestcheckingapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| exchtestcheckingapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])exchtestcheckingapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244062; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname exchtestcheckingapihealth.azurewebsites.net"; dns.query; content:"exchtestcheckingapihealth.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])exchtestcheckingapihealth\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244071; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname exchtestcheckingapihealth.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| exchtestcheckingapihealth.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])exchtestcheckingapihealth\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244072; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname flighthelicopterahtest.azurewebsites.net"; dns.query; content:"flighthelicopterahtest.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])flighthelicopterahtest\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244081; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname flighthelicopterahtest.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| flighthelicopterahtest.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])flighthelicopterahtest\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244082; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname helicopterahtest.azurewebsites.net"; dns.query; content:"helicopterahtest.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])helicopterahtest\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244091; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname helicopterahtest.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| helicopterahtest.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])helicopterahtest\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244092; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname helicopterahtests.azurewebsites.net"; dns.query; content:"helicopterahtests.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])helicopterahtests\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244101; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname helicopterahtests.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| helicopterahtests.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])helicopterahtests\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244102; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname helicoptersahtests.azurewebsites.net"; dns.query; content:"helicoptersahtests.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])helicoptersahtests\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244111; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname helicoptersahtests.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| helicoptersahtests.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])helicoptersahtests\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244112; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname hiringarabicregion.azurewebsites.net"; dns.query; content:"hiringarabicregion.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])hiringarabicregion\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244121; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname hiringarabicregion.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| hiringarabicregion.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])hiringarabicregion\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244122; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname homefurniture.azurewebsites.net"; dns.query; content:"homefurniture.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])homefurniture\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244131; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname homefurniture.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| homefurniture.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])homefurniture\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244132; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname hrapplicationtest.azurewebsites.net"; dns.query; content:"hrapplicationtest.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])hrapplicationtest\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244141; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname hrapplicationtest.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| hrapplicationtest.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])hrapplicationtest\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244142; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname humanresourcesapi.azurewebsites.net"; dns.query; content:"humanresourcesapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])humanresourcesapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244151; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname humanresourcesapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| humanresourcesapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])humanresourcesapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244152; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname humanresourcesapijson.azurewebsites.net"; dns.query; content:"humanresourcesapijson.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])humanresourcesapijson\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244161; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname humanresourcesapijson.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| humanresourcesapijson.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])humanresourcesapijson\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244162; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname humanresourcesapiquiz.azurewebsites.net"; dns.query; content:"humanresourcesapiquiz.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])humanresourcesapiquiz\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244171; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname humanresourcesapiquiz.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| humanresourcesapiquiz.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])humanresourcesapiquiz\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244172; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname iaidevrssfeed.centralus.cloudapp.azure.com"; dns.query; content:"iaidevrssfeed.centralus.cloudapp.azure.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])iaidevrssfeed\.centralus\.cloudapp\.azure\.com$/i"; classtype:trojan-activity; sid:4244181; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname iaidevrssfeed.centralus.cloudapp.azure.com"; flow:to_server,established; http.header; content: "Host|3a| iaidevrssfeed.centralus.cloudapp.azure.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])iaidevrssfeed\.centralus\.cloudapp\.azure\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244182; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname iaidevrssfeed.centrualus.cloudapp.azure.com"; dns.query; content:"iaidevrssfeed.centrualus.cloudapp.azure.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])iaidevrssfeed\.centrualus\.cloudapp\.azure\.com$/i"; classtype:trojan-activity; sid:4244191; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname iaidevrssfeed.centrualus.cloudapp.azure.com"; flow:to_server,established; http.header; content: "Host|3a| iaidevrssfeed.centrualus.cloudapp.azure.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])iaidevrssfeed\.centrualus\.cloudapp\.azure\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244192; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname iaidevrssfeed.cloudapp.azure.com"; dns.query; content:"iaidevrssfeed.cloudapp.azure.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])iaidevrssfeed\.cloudapp\.azure\.com$/i"; classtype:trojan-activity; sid:4244201; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname iaidevrssfeed.cloudapp.azure.com"; flow:to_server,established; http.header; content: "Host|3a| iaidevrssfeed.cloudapp.azure.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])iaidevrssfeed\.cloudapp\.azure\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244202; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname iaidevrssfeedp.cloudapp.azure.com"; dns.query; content:"iaidevrssfeedp.cloudapp.azure.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])iaidevrssfeedp\.cloudapp\.azure\.com$/i"; classtype:trojan-activity; sid:4244211; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname iaidevrssfeedp.cloudapp.azure.com"; flow:to_server,established; http.header; content: "Host|3a| iaidevrssfeedp.cloudapp.azure.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])iaidevrssfeedp\.cloudapp\.azure\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244212; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname identifycheckapplication.azurewebsites.net"; dns.query; content:"identifycheckapplication.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])identifycheckapplication\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244221; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname identifycheckapplication.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| identifycheckapplication.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])identifycheckapplication\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244222; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname identifycheckapplications.azurewebsites.net"; dns.query; content:"identifycheckapplications.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])identifycheckapplications\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244231; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname identifycheckapplications.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| identifycheckapplications.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])identifycheckapplications\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244232; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname identifycheckingapplications.azurewebsites.net"; dns.query; content:"identifycheckingapplications.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])identifycheckingapplications\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244241; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname identifycheckingapplications.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| identifycheckingapplications.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])identifycheckingapplications\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244242; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname ilengineeringrssfeed.azurewebsites.net"; dns.query; content:"ilengineeringrssfeed.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ilengineeringrssfeed\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244251; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname ilengineeringrssfeed.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| ilengineeringrssfeed.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ilengineeringrssfeed\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244252; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname integratedblognewfeed.azurewebsites.net"; dns.query; content:"integratedblognewfeed.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])integratedblognewfeed\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244261; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname integratedblognewfeed.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| integratedblognewfeed.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])integratedblognewfeed\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244262; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname integratedblognewsapi.azurewebsites.com"; dns.query; content:"integratedblognewsapi.azurewebsites.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])integratedblognewsapi\.azurewebsites\.com$/i"; classtype:trojan-activity; sid:4244271; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname integratedblognewsapi.azurewebsites.com"; flow:to_server,established; http.header; content: "Host|3a| integratedblognewsapi.azurewebsites.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])integratedblognewsapi\.azurewebsites\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244272; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname integratedblognewsapi.azurewebsites.net"; dns.query; content:"integratedblognewsapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])integratedblognewsapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244281; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname integratedblognewsapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| integratedblognewsapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])integratedblognewsapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244282; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname integratedblognews.azurewebsites.net"; dns.query; content:"integratedblognews.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])integratedblognews\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244291; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname integratedblognews.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| integratedblognews.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])integratedblognews\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244292; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname intengineeringrssfeed.azurewebsites.net"; dns.query; content:"intengineeringrssfeed.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])intengineeringrssfeed\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244301; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname intengineeringrssfeed.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| intengineeringrssfeed.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])intengineeringrssfeed\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244302; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname intergratedblognewsapi.azurewebsites.net"; dns.query; content:"intergratedblognewsapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])intergratedblognewsapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244311; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname intergratedblognewsapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| intergratedblognewsapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])intergratedblognewsapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244312; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname javaruntime.azurewebsites.net"; dns.query; content:"javaruntime.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])javaruntime\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244321; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname javaruntime.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| javaruntime.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])javaruntime\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244322; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname javaruntimestestapi.azurewebsites.net"; dns.query; content:"javaruntimestestapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])javaruntimestestapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244331; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname javaruntimestestapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| javaruntimestestapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])javaruntimestestapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244332; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname javaruntimetestapi.azurewebsites.net"; dns.query; content:"javaruntimetestapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])javaruntimetestapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244341; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname javaruntimetestapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| javaruntimetestapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])javaruntimetestapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244342; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname javaruntimeversioncheckingapi.azurewebsites.net"; dns.query; content:"javaruntimeversioncheckingapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])javaruntimeversioncheckingapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244351; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname javaruntimeversioncheckingapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| javaruntimeversioncheckingapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])javaruntimeversioncheckingapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244352; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname javaruntimeversionchecking.azurewebsites.net"; dns.query; content:"javaruntimeversionchecking.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])javaruntimeversionchecking\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244361; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname javaruntimeversionchecking.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| javaruntimeversionchecking.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])javaruntimeversionchecking\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244362; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname jupyternotebookcollection.azurewebsites.net"; dns.query; content:"jupyternotebookcollection.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])jupyternotebookcollection\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244371; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname jupyternotebookcollection.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| jupyternotebookcollection.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])jupyternotebookcollection\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244372; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname jupyternotebookcollections.azurewebsites.net"; dns.query; content:"jupyternotebookcollections.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])jupyternotebookcollections\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244381; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname jupyternotebookcollections.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| jupyternotebookcollections.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])jupyternotebookcollections\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244382; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname jupyternotebookscollection.azurewebsites.net"; dns.query; content:"jupyternotebookscollection.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])jupyternotebookscollection\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244391; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname jupyternotebookscollection.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| jupyternotebookscollection.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])jupyternotebookscollection\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244392; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname logsapimanagement.azurewebsites.net"; dns.query; content:"logsapimanagement.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])logsapimanagement\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244401; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname logsapimanagement.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| logsapimanagement.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])logsapimanagement\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244402; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname logsapimanagements.azurewebsites.net"; dns.query; content:"logsapimanagements.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])logsapimanagements\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244411; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname logsapimanagements.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| logsapimanagements.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])logsapimanagements\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244412; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname logupdatemanagementapi.azurewebsites.net"; dns.query; content:"logupdatemanagementapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])logupdatemanagementapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244421; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname logupdatemanagementapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| logupdatemanagementapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])logupdatemanagementapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244422; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname logupdatemanagementapijson.azurewebsites.net"; dns.query; content:"logupdatemanagementapijson.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])logupdatemanagementapijson\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244431; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname logupdatemanagementapijson.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| logupdatemanagementapijson.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])logupdatemanagementapijson\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244432; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname manpowerfeedapi.azurewebsites.net"; dns.query; content:"manpowerfeedapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])manpowerfeedapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244441; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname manpowerfeedapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| manpowerfeedapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])manpowerfeedapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244442; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname manpowerfeedapijson.azurewebsites.net"; dns.query; content:"manpowerfeedapijson.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])manpowerfeedapijson\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244451; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname manpowerfeedapijson.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| manpowerfeedapijson.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])manpowerfeedapijson\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244452; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname marineblogapi.azurewebsites.net"; dns.query; content:"marineblogapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])marineblogapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244461; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname marineblogapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| marineblogapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])marineblogapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244462; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname notebooktextchecking.azurewebsites.net"; dns.query; content:"notebooktextchecking.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])notebooktextchecking\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244471; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname notebooktextchecking.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| notebooktextchecking.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])notebooktextchecking\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244472; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname notebooktextcheckings.azurewebsites.net"; dns.query; content:"notebooktextcheckings.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])notebooktextcheckings\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244481; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname notebooktextcheckings.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| notebooktextcheckings.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])notebooktextcheckings\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244482; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname notebooktexts.azurewebsites.net"; dns.query; content:"notebooktexts.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])notebooktexts\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244491; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname notebooktexts.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| notebooktexts.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])notebooktexts\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244492; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname onequestionsapi.azurewebsites.net"; dns.query; content:"onequestionsapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])onequestionsapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244501; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname onequestionsapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| onequestionsapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])onequestionsapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244502; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname onequestionsapicheck.azurewebsites.net"; dns.query; content:"onequestionsapicheck.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])onequestionsapicheck\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244511; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname onequestionsapicheck.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| onequestionsapicheck.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])onequestionsapicheck\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244512; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname onequestions.azurewebsites.net"; dns.query; content:"onequestions.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])onequestions\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244521; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname onequestions.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| onequestions.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])onequestions\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244522; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname openapplicationcheck.azurewebsites.net"; dns.query; content:"openapplicationcheck.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])openapplicationcheck\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244531; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname openapplicationcheck.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| openapplicationcheck.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])openapplicationcheck\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244532; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname optionalapplication.azurewebsites.net"; dns.query; content:"optionalapplication.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])optionalapplication\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244541; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname optionalapplication.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| optionalapplication.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])optionalapplication\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244542; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname personalitytestquestionapi.azurewebsites.net"; dns.query; content:"personalitytestquestionapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])personalitytestquestionapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244551; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname personalitytestquestionapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| personalitytestquestionapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])personalitytestquestionapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244552; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname personalizationsurvey.azurewebsites.net"; dns.query; content:"personalizationsurvey.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])personalizationsurvey\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244561; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname personalizationsurvey.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| personalizationsurvey.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])personalizationsurvey\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244562; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname qaquestionapi.azurewebsites.net"; dns.query; content:"qaquestionapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])qaquestionapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244571; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname qaquestionapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| qaquestionapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])qaquestionapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244572; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname qaquestionsapi.azurewebsites.net"; dns.query; content:"qaquestionsapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])qaquestionsapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244581; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname qaquestionsapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| qaquestionsapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])qaquestionsapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244582; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname qaquestionsapijson.azurewebsites.net"; dns.query; content:"qaquestionsapijson.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])qaquestionsapijson\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244591; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname qaquestionsapijson.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| qaquestionsapijson.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])qaquestionsapijson\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244592; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname qaquestions.azurewebsites.net"; dns.query; content:"qaquestions.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])qaquestions\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244601; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname qaquestions.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| qaquestions.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])qaquestions\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244602; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname queryfindquestions.azurewebsites.net"; dns.query; content:"queryfindquestions.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])queryfindquestions\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244611; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname queryfindquestions.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| queryfindquestions.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])queryfindquestions\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244612; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname queryquestions.azurewebsites.net"; dns.query; content:"queryquestions.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])queryquestions\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244621; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname queryquestions.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| queryquestions.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])queryquestions\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244622; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname questionsapplicationapi.azurewebsites.net"; dns.query; content:"questionsapplicationapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])questionsapplicationapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244631; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname questionsapplicationapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| questionsapplicationapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])questionsapplicationapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244632; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname questionsapplicationapijson.azurewebsites.net"; dns.query; content:"questionsapplicationapijson.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])questionsapplicationapijson\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244641; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname questionsapplicationapijson.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| questionsapplicationapijson.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])questionsapplicationapijson\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244642; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname questionsapplicationbackup.azurewebsites.net"; dns.query; content:"questionsapplicationbackup.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])questionsapplicationbackup\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244651; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname questionsapplicationbackup.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| questionsapplicationbackup.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])questionsapplicationbackup\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244652; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname questionsdatabases.azurewebsites.net"; dns.query; content:"questionsdatabases.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])questionsdatabases\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244661; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname questionsdatabases.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| questionsdatabases.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])questionsdatabases\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244662; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname questionsurveyapp.azurewebsites.net"; dns.query; content:"questionsurveyapp.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])questionsurveyapp\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244671; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname questionsurveyapp.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| questionsurveyapp.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])questionsurveyapp\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244672; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname questionsurveyappserver.azurewebsites.net"; dns.query; content:"questionsurveyappserver.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])questionsurveyappserver\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244681; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname questionsurveyappserver.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| questionsurveyappserver.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])questionsurveyappserver\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244682; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname quiztestapplication.azurewebsites.net"; dns.query; content:"quiztestapplication.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])quiztestapplication\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244691; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname quiztestapplication.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| quiztestapplication.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])quiztestapplication\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244692; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname refaeldevrssfeed.centralus.cloudapp.azure.com"; dns.query; content:"refaeldevrssfeed.centralus.cloudapp.azure.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])refaeldevrssfeed\.centralus\.cloudapp\.azure\.com$/i"; classtype:trojan-activity; sid:4244701; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname refaeldevrssfeed.centralus.cloudapp.azure.com"; flow:to_server,established; http.header; content: "Host|3a| refaeldevrssfeed.centralus.cloudapp.azure.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])refaeldevrssfeed\.centralus\.cloudapp\.azure\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244702; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname regionuaequestions.azurewebsites.net"; dns.query; content:"regionuaequestions.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])regionuaequestions\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244711; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname regionuaequestions.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| regionuaequestions.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])regionuaequestions\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244712; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname registerinsurance.azurewebsites.net"; dns.query; content:"registerinsurance.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])registerinsurance\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244721; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname registerinsurance.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| registerinsurance.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])registerinsurance\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244722; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname roadmapselectorapi.azurewebsites.net"; dns.query; content:"roadmapselectorapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])roadmapselectorapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244731; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname roadmapselectorapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| roadmapselectorapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])roadmapselectorapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244732; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname roadmapselector.azurewebsites.net"; dns.query; content:"roadmapselector.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])roadmapselector\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244741; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname roadmapselector.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| roadmapselector.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])roadmapselector\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244742; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname sportblogs.azurewebsites.net"; dns.query; content:"sportblogs.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sportblogs\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244751; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname sportblogs.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| sportblogs.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sportblogs\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244752; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname surveyappquery.azurewebsites.net"; dns.query; content:"surveyappquery.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])surveyappquery\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244761; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname surveyappquery.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| surveyappquery.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])surveyappquery\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244762; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname surveyonlinetestapi.azurewebsites.net"; dns.query; content:"surveyonlinetestapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])surveyonlinetestapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244771; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname surveyonlinetestapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| surveyonlinetestapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])surveyonlinetestapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244772; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname surveyonlinetest.azurewebsites.net"; dns.query; content:"surveyonlinetest.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])surveyonlinetest\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244781; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname surveyonlinetest.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| surveyonlinetest.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])surveyonlinetest\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244782; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname technewsblogapi.azurewebsites.net"; dns.query; content:"technewsblogapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])technewsblogapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244791; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname technewsblogapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| technewsblogapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])technewsblogapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244792; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname testmanagementapi1.azurewebsites.net"; dns.query; content:"testmanagementapi1.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])testmanagementapi1\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244801; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname testmanagementapi1.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| testmanagementapi1.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])testmanagementapi1\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244802; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname testmanagementapis.azurewebsites.net"; dns.query; content:"testmanagementapis.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])testmanagementapis\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244811; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname testmanagementapis.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| testmanagementapis.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])testmanagementapis\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244812; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname testmanagementapisjson.azurewebsites.net"; dns.query; content:"testmanagementapisjson.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])testmanagementapisjson\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244821; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname testmanagementapisjson.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| testmanagementapisjson.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])testmanagementapisjson\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244822; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname testquestionapplicationapi.azurewebsites.net"; dns.query; content:"testquestionapplicationapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])testquestionapplicationapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244831; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname testquestionapplicationapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| testquestionapplicationapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])testquestionapplicationapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244832; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname testtesttes.azurewebsites.net"; dns.query; content:"testtesttes.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])testtesttes\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244841; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname testtesttes.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| testtesttes.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])testtesttes\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244842; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname tiappschecktest.azurewebsites.net"; dns.query; content:"tiappschecktest.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])tiappschecktest\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244851; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname tiappschecktest.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| tiappschecktest.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])tiappschecktest\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244852; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname tnlsowkis.westus3.cloudapp.azure.com"; dns.query; content:"tnlsowkis.westus3.cloudapp.azure.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])tnlsowkis\.westus3\.cloudapp\.azure\.com$/i"; classtype:trojan-activity; sid:4244861; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname tnlsowkis.westus3.cloudapp.azure.com"; flow:to_server,established; http.header; content: "Host|3a| tnlsowkis.westus3.cloudapp.azure.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])tnlsowkis\.westus3\.cloudapp\.azure\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244862; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname tnlsowki.westus3.cloudapp.azure.com"; dns.query; content:"tnlsowki.westus3.cloudapp.azure.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])tnlsowki\.westus3\.cloudapp\.azure\.com$/i"; classtype:trojan-activity; sid:4244871; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname tnlsowki.westus3.cloudapp.azure.com"; flow:to_server,established; http.header; content: "Host|3a| tnlsowki.westus3.cloudapp.azure.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])tnlsowki\.westus3\.cloudapp\.azure\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244872; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname turkairline.azurewebsites.net"; dns.query; content:"turkairline.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])turkairline\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244881; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname turkairline.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| turkairline.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])turkairline\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244882; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname uaeaircheckon.azurewebsites.net"; dns.query; content:"uaeaircheckon.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])uaeaircheckon\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244891; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname uaeaircheckon.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| uaeaircheckon.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])uaeaircheckon\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244892; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname uaeairchecks.azurewebsites.net"; dns.query; content:"uaeairchecks.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])uaeairchecks\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244901; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname uaeairchecks.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| uaeairchecks.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])uaeairchecks\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244902; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname vscodeupdater.azurewebsites.net"; dns.query; content:"vscodeupdater.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])vscodeupdater\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244911; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname vscodeupdater.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| vscodeupdater.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])vscodeupdater\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244912; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname workersquestionsapi.azurewebsites.net"; dns.query; content:"workersquestionsapi.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])workersquestionsapi\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244921; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname workersquestionsapi.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| workersquestionsapi.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])workersquestionsapi\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244922; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname workersquestions.azurewebsites.net"; dns.query; content:"workersquestions.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])workersquestions\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244931; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname workersquestions.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| workersquestions.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])workersquestions\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244932; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert dns any any -> any any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Hostname workersquestionsjson.azurewebsites.net"; dns.query; content:"workersquestionsjson.azurewebsites.net"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])workersquestionsjson\.azurewebsites\.net$/i"; classtype:trojan-activity; sid:4244941; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e411 [misp-galaxy:target-information="Albania",misp-galaxy:target-information="India",misp-galaxy:target-information="Israel",misp-galaxy:target-information="Turkey",misp-galaxy:target-information="United Arab Emirates",misp-galaxy:sector="Aerospace",misp-galaxy:sector="Civil Aviation",misp-galaxy:sector="Defense",misp-galaxy:country="iran",misp-galaxy:threat-actor="Tortoiseshell",tlp:white] Outgoing HTTP Hostname workersquestionsjson.azurewebsites.net"; flow:to_server,established; http.header; content: "Host|3a| workersquestionsjson.azurewebsites.net"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])workersquestionsjson\.azurewebsites\.net[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4244942; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/411;) alert ip $HOME_NET any -> 1.92.240.113 any (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Outgoing To IP: 1.92.240.113"; classtype:trojan-activity; sid:4244971; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert ip $HOME_NET any -> 45.9.149.215 any (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Outgoing To IP: 45.9.149.215"; classtype:trojan-activity; sid:4244981; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert ip $HOME_NET any -> 94.156.71.115 any (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Outgoing To IP: 94.156.71.115"; classtype:trojan-activity; sid:4244991; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert http $HOME_NET any -> 91.92.240.113 $HTTP_PORTS (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Outgoing URL http|3a|//91.92.240.113/auth.js"; flow:to_server,established; http.header; content:"91.92.240.113"; fast_pattern; nocase; http.uri; content:"/auth.js"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4245001; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert http $HOME_NET any -> 91.92.240.113 $HTTP_PORTS (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Outgoing URL http|3a|//91.92.240.113/login.cgi"; flow:to_server,established; http.header; content:"91.92.240.113"; fast_pattern; nocase; http.uri; content:"/login.cgi"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4245011; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert http $HOME_NET any -> 91.92.240.113 $HTTP_PORTS (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Outgoing URL http|3a|//91.92.240.113/aparche2"; flow:to_server,established; http.header; content:"91.92.240.113"; fast_pattern; nocase; http.uri; content:"/aparche2"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4245021; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert http $HOME_NET any -> 91.92.240.113 $HTTP_PORTS (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Outgoing URL http|3a|//91.92.240.113/agent"; flow:to_server,established; http.header; content:"91.92.240.113"; fast_pattern; nocase; http.uri; content:"/agent"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4245031; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert http $HOME_NET any -> 45.9.149.215 $HTTP_PORTS (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Outgoing URL http|3a|//45.9.149.215/aparche2"; flow:to_server,established; http.header; content:"45.9.149.215"; fast_pattern; nocase; http.uri; content:"/aparche2"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4245041; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert http $HOME_NET any -> 45.9.149.215 $HTTP_PORTS (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Outgoing URL http|3a|//45.9.149.215/agent"; flow:to_server,established; http.header; content:"45.9.149.215"; fast_pattern; nocase; http.uri; content:"/agent"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4245051; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert http $HOME_NET any -> 94.156.71.115 $HTTP_PORTS (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Outgoing URL http|3a|//94.156.71.115/lxrt"; flow:to_server,established; http.header; content:"94.156.71.115"; fast_pattern; nocase; http.uri; content:"/lxrt"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4245061; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert http $HOME_NET any -> 94.156.71.115 $HTTP_PORTS (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Outgoing URL http|3a|//94.156.71.115/agent"; flow:to_server,established; http.header; content:"94.156.71.115"; fast_pattern; nocase; http.uri; content:"/agent"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4245071; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert http $HOME_NET any -> 94.156.71.115 $HTTP_PORTS (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Outgoing URL http|3a|//94.156.71.115/instali.ps1"; flow:to_server,established; http.header; content:"94.156.71.115"; fast_pattern; nocase; http.uri; content:"/instali.ps1"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4245081; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert http $HOME_NET any -> 94.156.71.115 $HTTP_PORTS (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Outgoing URL http|3a|//94.156.71.115/ligocert.dat"; flow:to_server,established; http.header; content:"94.156.71.115"; fast_pattern; nocase; http.uri; content:"/ligocert.dat"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4245091; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert http $HOME_NET any -> 94.156.71.115 $HTTP_PORTS (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Outgoing URL http|3a|//94.156.71.115/angel.dat"; flow:to_server,established; http.header; content:"94.156.71.115"; fast_pattern; nocase; http.uri; content:"/angel.dat"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4245101; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert http $HOME_NET any -> 94.156.71.115 $HTTP_PORTS (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Outgoing URL http|3a|//94.156.71.115/windows.xml"; flow:to_server,established; http.header; content:"94.156.71.115"; fast_pattern; nocase; http.uri; content:"/windows.xml"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4245111; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert http $HOME_NET any -> 94.156.71.115 $HTTP_PORTS (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Outgoing URL http|3a|//94.156.71.115/instal1.ps1"; flow:to_server,established; http.header; content:"94.156.71.115"; fast_pattern; nocase; http.uri; content:"/instal1.ps1"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4245121; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert http $HOME_NET any -> 94.156.71.115 $HTTP_PORTS (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Outgoing URL http|3a|//94.156.71.115/Maintenance.ps1"; flow:to_server,established; http.header; content:"94.156.71.115"; fast_pattern; nocase; http.uri; content:"/Maintenance.ps1"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4245131; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert http $HOME_NET any -> 94.156.71.115 $HTTP_PORTS (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Outgoing URL http|3a|//94.156.71.115/baba.dat"; flow:to_server,established; http.header; content:"94.156.71.115"; fast_pattern; nocase; http.uri; content:"/baba.dat"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4245141; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Outgoing URL http|3a|//oncloud-analytics.com/files/mg/elf/RT1.50.png"; flow:to_server,established; http.header; content:"oncloud-analytics.com"; fast_pattern; nocase; http.uri; content:"/files/mg/elf/RT1.50.png"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4245151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Outgoing URL http|3a|//cloudflareaddons.com/assets/img/Image_Slider15.1.png"; flow:to_server,established; http.header; content:"cloudflareaddons.com"; fast_pattern; nocase; http.uri; content:"/assets/img/Image_Slider15.1.png"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4245161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert dns any any -> any any (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Domain mailchimp-addons.com"; dns.query; content:"mailchimp-addons.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])mailchimp\-addons\.com$/i"; classtype:trojan-activity; sid:4245171; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Outgoing HTTP Domain mailchimp-addons.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"mailchimp-addons.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])mailchimp\-addons\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4245172; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert dns any any -> any any (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Domain allsecurehosting.com"; dns.query; content:"allsecurehosting.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])allsecurehosting\.com$/i"; classtype:trojan-activity; sid:4245181; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Outgoing HTTP Domain allsecurehosting.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"allsecurehosting.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])allsecurehosting\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4245182; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert dns any any -> any any (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Domain dev-clientservice.com"; dns.query; content:"dev-clientservice.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])dev\-clientservice\.com$/i"; classtype:trojan-activity; sid:4245191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Outgoing HTTP Domain dev-clientservice.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dev-clientservice.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dev\-clientservice\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4245192; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert dns any any -> any any (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Domain oncloud-analytics.com"; dns.query; content:"oncloud-analytics.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])oncloud\-analytics\.com$/i"; classtype:trojan-activity; sid:4245201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Outgoing HTTP Domain oncloud-analytics.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"oncloud-analytics.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])oncloud\-analytics\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4245202; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert dns any any -> any any (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Domain cloudflareaddons.com"; dns.query; content:"cloudflareaddons.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])cloudflareaddons\.com$/i"; classtype:trojan-activity; sid:4245211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Outgoing HTTP Domain cloudflareaddons.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"cloudflareaddons.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])cloudflareaddons\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4245212; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert dns any any -> any any (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Domain textsmsonline.com"; dns.query; content:"textsmsonline.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])textsmsonline\.com$/i"; classtype:trojan-activity; sid:4245221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Outgoing HTTP Domain textsmsonline.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"textsmsonline.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])textsmsonline\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4245222; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert dns any any -> any any (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Domain proreceive.com"; dns.query; content:"proreceive.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])proreceive\.com$/i"; classtype:trojan-activity; sid:4245231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Outgoing HTTP Domain proreceive.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"proreceive.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])proreceive\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4245232; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert ip $HOME_NET any -> 172.86.66.165 any (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Outgoing To IP: 172.86.66.165"; classtype:trojan-activity; sid:4245241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert ip $HOME_NET any -> 45.153.240.73 any (msg: "MISP e412 [tlp:white,misp-galaxy:malpedia="Nerbian RAT"] Outgoing To IP: 45.153.240.73"; classtype:trojan-activity; sid:4245251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/412;) alert dns any any -> any any (msg: "MISP e413 [tlp:white,misp-galaxy:mitre-attack-pattern="Malvertising - T1583.008"] Hostname cecar.com.ar"; dns.query; content:"cecar.com.ar"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cecar\.com\.ar$/i"; classtype:trojan-activity; sid:4245481; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/413;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e413 [tlp:white,misp-galaxy:mitre-attack-pattern="Malvertising - T1583.008"] Outgoing HTTP Hostname cecar.com.ar"; flow:to_server,established; http.header; content: "Host|3a| cecar.com.ar"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cecar\.com\.ar[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4245482; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/413;) alert dns any any -> any any (msg: "MISP e413 [tlp:white,misp-galaxy:mitre-attack-pattern="Malvertising - T1583.008"] Hostname estiloplus.tur.ar"; dns.query; content:"estiloplus.tur.ar"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])estiloplus\.tur\.ar$/i"; classtype:trojan-activity; sid:4245491; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/413;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e413 [tlp:white,misp-galaxy:mitre-attack-pattern="Malvertising - T1583.008"] Outgoing HTTP Hostname estiloplus.tur.ar"; flow:to_server,established; http.header; content: "Host|3a| estiloplus.tur.ar"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])estiloplus\.tur\.ar[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4245492; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/413;) alert dns any any -> any any (msg: "MISP e413 [tlp:white,misp-galaxy:mitre-attack-pattern="Malvertising - T1583.008"] Domain obs-software.cc"; dns.query; content:"obs-software.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-])obs\-software\.cc$/i"; classtype:trojan-activity; sid:4245501; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/413;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e413 [tlp:white,misp-galaxy:mitre-attack-pattern="Malvertising - T1583.008"] Outgoing HTTP Domain obs-software.cc"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"obs-software.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])obs\-software\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4245502; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/413;) alert dns any any -> any any (msg: "MISP e413 [tlp:white,misp-galaxy:mitre-attack-pattern="Malvertising - T1583.008"] Domain bandi-cam.cc"; dns.query; content:"bandi-cam.cc"; nocase; pcre: "/(^|[^A-Za-z0-9-])bandi\-cam\.cc$/i"; classtype:trojan-activity; sid:4245511; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/413;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e413 [tlp:white,misp-galaxy:mitre-attack-pattern="Malvertising - T1583.008"] Outgoing HTTP Domain bandi-cam.cc"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bandi-cam.cc"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bandi\-cam\.cc[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4245512; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/413;) alert dns any any -> any any (msg: "MISP e413 [tlp:white,misp-galaxy:mitre-attack-pattern="Malvertising - T1583.008"] Domain breavas.app"; dns.query; content:"breavas.app"; nocase; pcre: "/(^|[^A-Za-z0-9-])breavas\.app$/i"; classtype:trojan-activity; sid:4245521; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/413;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e413 [tlp:white,misp-galaxy:mitre-attack-pattern="Malvertising - T1583.008"] Outgoing HTTP Domain breavas.app"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"breavas.app"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])breavas\.app[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4245522; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/413;) alert dns any any -> any any (msg: "MISP e413 [tlp:white,misp-galaxy:mitre-attack-pattern="Malvertising - T1583.008"] Domain open-project.org"; dns.query; content:"open-project.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])open\-project\.org$/i"; classtype:trojan-activity; sid:4245531; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/413;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e413 [tlp:white,misp-galaxy:mitre-attack-pattern="Malvertising - T1583.008"] Outgoing HTTP Domain open-project.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"open-project.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])open\-project\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4245532; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/413;) alert dns any any -> any any (msg: "MISP e413 [tlp:white,misp-galaxy:mitre-attack-pattern="Malvertising - T1583.008"] Domain onenote-download.com"; dns.query; content:"onenote-download.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])onenote\-download\.com$/i"; classtype:trojan-activity; sid:4245541; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/413;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e413 [tlp:white,misp-galaxy:mitre-attack-pattern="Malvertising - T1583.008"] Outgoing HTTP Domain onenote-download.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"onenote-download.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])onenote\-download\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4245542; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/413;) alert dns any any -> any any (msg: "MISP e413 [tlp:white,misp-galaxy:mitre-attack-pattern="Malvertising - T1583.008"] Domain epicgames-store.org"; dns.query; content:"epicgames-store.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])epicgames\-store\.org$/i"; classtype:trojan-activity; sid:4245551; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/413;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e413 [tlp:white,misp-galaxy:mitre-attack-pattern="Malvertising - T1583.008"] Outgoing HTTP Domain epicgames-store.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"epicgames-store.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])epicgames\-store\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4245552; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/413;) alert dns any any -> any any (msg: "MISP e413 [tlp:white,misp-galaxy:mitre-attack-pattern="Malvertising - T1583.008"] Domain blcnder.org"; dns.query; content:"blcnder.org"; nocase; pcre: "/(^|[^A-Za-z0-9-])blcnder\.org$/i"; classtype:trojan-activity; sid:4245561; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/413;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e413 [tlp:white,misp-galaxy:mitre-attack-pattern="Malvertising - T1583.008"] Outgoing HTTP Domain blcnder.org"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"blcnder.org"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])blcnder\.org[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4245562; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/413;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e413 [tlp:white,misp-galaxy:mitre-attack-pattern="Malvertising - T1583.008"] Outgoing URL bezynet.com/OBS-Studio-30.0.2-Full-Installer-x64.msix"; flow:to_server,established; http.uri; content:"bezynet.com/OBS-Studio-30.0.2-Full-Installer-x64.msix"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4245571; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/413;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e413 [tlp:white,misp-galaxy:mitre-attack-pattern="Malvertising - T1583.008"] Outgoing URL bezynet.com/Bandicam_7.21_win64.msix"; flow:to_server,established; http.uri; content:"bezynet.com/Bandicam_7.21_win64.msix"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4245581; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/413;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e413 [tlp:white,misp-galaxy:mitre-attack-pattern="Malvertising - T1583.008"] Outgoing URL church-notes.com/Braavos-Wallet.msix"; flow:to_server,established; http.uri; content:"church-notes.com/Braavos-Wallet.msix"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4245591; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/413;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e413 [tlp:white,misp-galaxy:mitre-attack-pattern="Malvertising - T1583.008"] Outgoing URL church-notes.com/Epic-Games_Setup.msix"; flow:to_server,established; http.uri; content:"church-notes.com/Epic-Games_Setup.msix"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4245601; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/413;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e413 [tlp:white,misp-galaxy:mitre-attack-pattern="Malvertising - T1583.008"] Outgoing URL church-notes.com/Onenote_setup.msix"; flow:to_server,established; http.uri; content:"church-notes.com/Onenote_setup.msix"; fast_pattern; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4245611; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/413;) alert dns any any -> any any (msg: "MISP e413 [tlp:white,misp-galaxy:mitre-attack-pattern="Malvertising - T1583.008"] Domain ads-pill.xyz"; dns.query; content:"ads-pill.xyz"; nocase; pcre: "/(^|[^A-Za-z0-9-])ads\-pill\.xyz$/i"; classtype:trojan-activity; sid:4245671; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/413;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e413 [tlp:white,misp-galaxy:mitre-attack-pattern="Malvertising - T1583.008"] Outgoing HTTP Domain ads-pill.xyz"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ads-pill.xyz"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ads\-pill\.xyz[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4245672; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/413;) alert dns any any -> any any (msg: "MISP e413 [tlp:white,misp-galaxy:mitre-attack-pattern="Malvertising - T1583.008"] Domain ads-pill.top"; dns.query; content:"ads-pill.top"; nocase; pcre: "/(^|[^A-Za-z0-9-])ads\-pill\.top$/i"; classtype:trojan-activity; sid:4245681; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/413;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e413 [tlp:white,misp-galaxy:mitre-attack-pattern="Malvertising - T1583.008"] Outgoing HTTP Domain ads-pill.top"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ads-pill.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ads\-pill\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4245682; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/413;) alert dns any any -> any any (msg: "MISP e413 [tlp:white,misp-galaxy:mitre-attack-pattern="Malvertising - T1583.008"] Domain ads-tooth.top"; dns.query; content:"ads-tooth.top"; nocase; pcre: "/(^|[^A-Za-z0-9-])ads\-tooth\.top$/i"; classtype:trojan-activity; sid:4245691; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/413;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e413 [tlp:white,misp-galaxy:mitre-attack-pattern="Malvertising - T1583.008"] Outgoing HTTP Domain ads-tooth.top"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ads-tooth.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ads\-tooth\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4245692; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/413;) alert dns any any -> any any (msg: "MISP e413 [tlp:white,misp-galaxy:mitre-attack-pattern="Malvertising - T1583.008"] Domain ads-analyze.top"; dns.query; content:"ads-analyze.top"; nocase; pcre: "/(^|[^A-Za-z0-9-])ads\-analyze\.top$/i"; classtype:trojan-activity; sid:4245701; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/413;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e413 [tlp:white,misp-galaxy:mitre-attack-pattern="Malvertising - T1583.008"] Outgoing HTTP Domain ads-analyze.top"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"ads-analyze.top"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])ads\-analyze\.top[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4245702; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/413;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing URL https|3a|//arr-wd3463btrq-uc.a.run.app"; tls.sni; content:"arr-wd3463btrq-uc.a.run.app"; tag:session,600,seconds; classtype:trojan-activity; sid:4246201; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing URL https|3a|//storage.googleapis.com/alele/FAT.1705617082.zip"; tls.sni; content:"storage.googleapis.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4246211; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing URL https|3a|//portu-wd3463btrq-uc.a.run.app"; tls.sni; content:"portu-wd3463btrq-uc.a.run.app"; tag:session,600,seconds; classtype:trojan-activity; sid:4246221; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing URL https|3a|//storage.googleapis.com/alele/Fat.184949849.zip"; tls.sni; content:"storage.googleapis.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4246231; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing URL http|3a|//avfa-wd3463btrq-uc.a.run.app"; flow:to_server,established; http.header; content:"avfa-wd3463btrq-uc.a.run.app"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4246241; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing URL http|3a|//factalia-ofh2cutija-uc.a.run.app"; flow:to_server,established; http.header; content:"factalia-ofh2cutija-uc.a.run.app"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4246251; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing URL http|3a|//gasgas-wd3463btrq-uc.a.run.app"; flow:to_server,established; http.header; content:"gasgas-wd3463btrq-uc.a.run.app"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4246261; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing URL http|3a|//haergsd-wd3463btrq-uc.a.run.app"; flow:to_server,established; http.header; content:"haergsd-wd3463btrq-uc.a.run.app"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4246271; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing URL http|3a|//jx-krrdbo6imq-uc.a.run.app"; flow:to_server,established; http.header; content:"jx-krrdbo6imq-uc.a.run.app"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4246281; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing URL http|3a|//ptb-wd3463btrq-uc.a.run.app"; flow:to_server,established; http.header; content:"ptb-wd3463btrq-uc.a.run.app"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4246291; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing URL http|3a|//ptm-wd3463btrq-uc.a.run.app"; flow:to_server,established; http.header; content:"ptm-wd3463btrq-uc.a.run.app"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4246301; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing URL http|3a|//pto-wd3463btrq-uc.a.run.app"; flow:to_server,established; http.header; content:"pto-wd3463btrq-uc.a.run.app"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4246311; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing URL http|3a|//w3iuwl.nextmax.my.id/?5/"; flow:to_server,established; http.header; content:"w3iuwl.nextmax.my.id"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4246321; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing URL http|3a|//wae4w.mariomanagement.biz.id/?76849368130628733"; flow:to_server,established; http.header; content:"wae4w.mariomanagement.biz.id"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4246331; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing URL http|3a|//wae4w.mariomanagement.biz.id/?39829895502632947"; flow:to_server,established; http.header; content:"wae4w.mariomanagement.biz.id"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4246341; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing URL http|3a|//wae4w.mariomanagement.biz.id/?61694995802639066"; flow:to_server,established; http.header; content:"wae4w.mariomanagement.biz.id"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4246351; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing URL http|3a|//wae4w.mariomanagement.biz.id/?41991463280678058"; flow:to_server,established; http.header; content:"wae4w.mariomanagement.biz.id"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4246361; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing URL http|3a|//wae4w.mariomanagement.biz.id/?51999170290693658"; flow:to_server,established; http.header; content:"wae4w.mariomanagement.biz.id"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4246371; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing URL http|3a|//wae4w.mariomanagement.biz.id/?75129547751613994"; flow:to_server,established; http.header; content:"wae4w.mariomanagement.biz.id"; fast_pattern; nocase; http.uri; content:"/"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4246381; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert ip $HOME_NET any -> 34.135.1.100 any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing To IP: 34.135.1.100"; classtype:trojan-activity; sid:4246391; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert dns any any -> any any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Hostname arr-wd3463btrq-uc.a.run.app"; dns.query; content:"arr-wd3463btrq-uc.a.run.app"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])arr\-wd3463btrq\-uc\.a\.run\.app$/i"; classtype:trojan-activity; sid:4246401; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing HTTP Hostname arr-wd3463btrq-uc.a.run.app"; flow:to_server,established; http.header; content: "Host|3a| arr-wd3463btrq-uc.a.run.app"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])arr\-wd3463btrq\-uc\.a\.run\.app[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246402; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert dns any any -> any any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Hostname portu-wd3463btrq-uc.a.run.app"; dns.query; content:"portu-wd3463btrq-uc.a.run.app"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])portu\-wd3463btrq\-uc\.a\.run\.app$/i"; classtype:trojan-activity; sid:4246411; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing HTTP Hostname portu-wd3463btrq-uc.a.run.app"; flow:to_server,established; http.header; content: "Host|3a| portu-wd3463btrq-uc.a.run.app"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])portu\-wd3463btrq\-uc\.a\.run\.app[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246412; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert dns any any -> any any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Hostname xwago.creativeplus.my.id"; dns.query; content:"xwago.creativeplus.my.id"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])xwago\.creativeplus\.my\.id$/i"; classtype:trojan-activity; sid:4246421; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing HTTP Hostname xwago.creativeplus.my.id"; flow:to_server,established; http.header; content: "Host|3a| xwago.creativeplus.my.id"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])xwago\.creativeplus\.my\.id[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246422; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert dns any any -> any any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Hostname wae4w.mariomanagement.biz.id"; dns.query; content:"wae4w.mariomanagement.biz.id"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])wae4w\.mariomanagement\.biz\.id$/i"; classtype:trojan-activity; sid:4246431; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing HTTP Hostname wae4w.mariomanagement.biz.id"; flow:to_server,established; http.header; content: "Host|3a| wae4w.mariomanagement.biz.id"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])wae4w\.mariomanagement\.biz\.id[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246432; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert dns any any -> any any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Hostname h4aowa.mariostrategy.my.id"; dns.query; content:"h4aowa.mariostrategy.my.id"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])h4aowa\.mariostrategy\.my\.id$/i"; classtype:trojan-activity; sid:4246441; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing HTTP Hostname h4aowa.mariostrategy.my.id"; flow:to_server,established; http.header; content: "Host|3a| h4aowa.mariostrategy.my.id"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])h4aowa\.mariostrategy\.my\.id[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246442; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert dns any any -> any any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Hostname yaiinr.actiongroup.my.id"; dns.query; content:"yaiinr.actiongroup.my.id"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])yaiinr\.actiongroup\.my\.id$/i"; classtype:trojan-activity; sid:4246451; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing HTTP Hostname yaiinr.actiongroup.my.id"; flow:to_server,established; http.header; content: "Host|3a| yaiinr.actiongroup.my.id"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])yaiinr\.actiongroup\.my\.id[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246452; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert dns any any -> any any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Hostname e0aonr.creativeplus.my.id"; dns.query; content:"e0aonr.creativeplus.my.id"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])e0aonr\.creativeplus\.my\.id$/i"; classtype:trojan-activity; sid:4246461; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing HTTP Hostname e0aonr.creativeplus.my.id"; flow:to_server,established; http.header; content: "Host|3a| e0aonr.creativeplus.my.id"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])e0aonr\.creativeplus\.my\.id[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246462; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert dns any any -> any any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Hostname wiae5.marioadvisory.my.id"; dns.query; content:"wiae5.marioadvisory.my.id"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])wiae5\.marioadvisory\.my\.id$/i"; classtype:trojan-activity; sid:4246471; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing HTTP Hostname wiae5.marioadvisory.my.id"; flow:to_server,established; http.header; content: "Host|3a| wiae5.marioadvisory.my.id"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])wiae5\.marioadvisory\.my\.id[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246472; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert dns any any -> any any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Hostname caiiaf.businesswise.biz.id"; dns.query; content:"caiiaf.businesswise.biz.id"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])caiiaf\.businesswise\.biz\.id$/i"; classtype:trojan-activity; sid:4246481; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing HTTP Hostname caiiaf.businesswise.biz.id"; flow:to_server,established; http.header; content: "Host|3a| caiiaf.businesswise.biz.id"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])caiiaf\.businesswise\.biz\.id[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246482; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert dns any any -> any any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Hostname 2joafm.marioanalytics.my.id"; dns.query; content:"2joafm.marioanalytics.my.id"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])2joafm\.marioanalytics\.my\.id$/i"; classtype:trojan-activity; sid:4246491; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing HTTP Hostname 2joafm.marioanalytics.my.id"; flow:to_server,established; http.header; content: "Host|3a| 2joafm.marioanalytics.my.id"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])2joafm\.marioanalytics\.my\.id[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246492; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert dns any any -> any any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Hostname nqaa8e.businesswise.biz.id"; dns.query; content:"nqaa8e.businesswise.biz.id"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])nqaa8e\.businesswise\.biz\.id$/i"; classtype:trojan-activity; sid:4246501; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing HTTP Hostname nqaa8e.businesswise.biz.id"; flow:to_server,established; http.header; content: "Host|3a| nqaa8e.businesswise.biz.id"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])nqaa8e\.businesswise\.biz\.id[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246502; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert dns any any -> any any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Hostname nweow8.mariostrategy.my.id"; dns.query; content:"nweow8.mariostrategy.my.id"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])nweow8\.mariostrategy\.my\.id$/i"; classtype:trojan-activity; sid:4246511; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing HTTP Hostname nweow8.mariostrategy.my.id"; flow:to_server,established; http.header; content: "Host|3a| nweow8.mariostrategy.my.id"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])nweow8\.mariostrategy\.my\.id[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246512; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert dns any any -> any any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Hostname wba0s.produtoeletro.my.id"; dns.query; content:"wba0s.produtoeletro.my.id"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])wba0s\.produtoeletro\.my\.id$/i"; classtype:trojan-activity; sid:4246521; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing HTTP Hostname wba0s.produtoeletro.my.id"; flow:to_server,established; http.header; content: "Host|3a| wba0s.produtoeletro.my.id"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])wba0s\.produtoeletro\.my\.id[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246522; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert dns any any -> any any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Hostname 4hawb.produtoeletro.my.id"; dns.query; content:"4hawb.produtoeletro.my.id"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])4hawb\.produtoeletro\.my\.id$/i"; classtype:trojan-activity; sid:4246531; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing HTTP Hostname 4hawb.produtoeletro.my.id"; flow:to_server,established; http.header; content: "Host|3a| 4hawb.produtoeletro.my.id"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])4hawb\.produtoeletro\.my\.id[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246532; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert dns any any -> any any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Hostname cua3e.mariosolutions.biz.id"; dns.query; content:"cua3e.mariosolutions.biz.id"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cua3e\.mariosolutions\.biz\.id$/i"; classtype:trojan-activity; sid:4246541; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing HTTP Hostname cua3e.mariosolutions.biz.id"; flow:to_server,established; http.header; content: "Host|3a| cua3e.mariosolutions.biz.id"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])cua3e\.mariosolutions\.biz\.id[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246542; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert dns any any -> any any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Hostname eeiul.marioadvisory.my.id"; dns.query; content:"eeiul.marioadvisory.my.id"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])eeiul\.marioadvisory\.my\.id$/i"; classtype:trojan-activity; sid:4246551; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing HTTP Hostname eeiul.marioadvisory.my.id"; flow:to_server,established; http.header; content: "Host|3a| eeiul.marioadvisory.my.id"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])eeiul\.marioadvisory\.my\.id[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246552; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert dns any any -> any any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Hostname kka5c.marioanalytics.my.id"; dns.query; content:"kka5c.marioanalytics.my.id"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])kka5c\.marioanalytics\.my\.id$/i"; classtype:trojan-activity; sid:4246561; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing HTTP Hostname kka5c.marioanalytics.my.id"; flow:to_server,established; http.header; content: "Host|3a| kka5c.marioanalytics.my.id"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])kka5c\.marioanalytics\.my\.id[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246562; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert dns any any -> any any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Hostname w8oaa0.mariosolutions.biz.id"; dns.query; content:"w8oaa0.mariosolutions.biz.id"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])w8oaa0\.mariosolutions\.biz\.id$/i"; classtype:trojan-activity; sid:4246571; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing HTTP Hostname w8oaa0.mariosolutions.biz.id"; flow:to_server,established; http.header; content: "Host|3a| w8oaa0.mariosolutions.biz.id"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])w8oaa0\.mariosolutions\.biz\.id[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246572; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert dns any any -> any any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Hostname 0tuiwp.mariomanagement.biz.id"; dns.query; content:"0tuiwp.mariomanagement.biz.id"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])0tuiwp\.mariomanagement\.biz\.id$/i"; classtype:trojan-activity; sid:4246581; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing HTTP Hostname 0tuiwp.mariomanagement.biz.id"; flow:to_server,established; http.header; content: "Host|3a| 0tuiwp.mariomanagement.biz.id"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])0tuiwp\.mariomanagement\.biz\.id[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246582; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert dns any any -> any any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Hostname lwafa.actiongroup.my.id"; dns.query; content:"lwafa.actiongroup.my.id"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])lwafa\.actiongroup\.my\.id$/i"; classtype:trojan-activity; sid:4246591; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing HTTP Hostname lwafa.actiongroup.my.id"; flow:to_server,established; http.header; content: "Host|3a| lwafa.actiongroup.my.id"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])lwafa\.actiongroup\.my\.id[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246592; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert dns any any -> any any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Hostname avfa-wd3463btrq-uc.a.run.app"; dns.query; content:"avfa-wd3463btrq-uc.a.run.app"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])avfa\-wd3463btrq\-uc\.a\.run\.app$/i"; classtype:trojan-activity; sid:4246601; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing HTTP Hostname avfa-wd3463btrq-uc.a.run.app"; flow:to_server,established; http.header; content: "Host|3a| avfa-wd3463btrq-uc.a.run.app"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])avfa\-wd3463btrq\-uc\.a\.run\.app[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246602; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert dns any any -> any any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Hostname factalia-ofh2cutija-uc.a.run.app"; dns.query; content:"factalia-ofh2cutija-uc.a.run.app"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])factalia\-ofh2cutija\-uc\.a\.run\.app$/i"; classtype:trojan-activity; sid:4246611; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing HTTP Hostname factalia-ofh2cutija-uc.a.run.app"; flow:to_server,established; http.header; content: "Host|3a| factalia-ofh2cutija-uc.a.run.app"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])factalia\-ofh2cutija\-uc\.a\.run\.app[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246612; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert dns any any -> any any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Hostname gasgas-wd3463btrq-uc.a.run.app"; dns.query; content:"gasgas-wd3463btrq-uc.a.run.app"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])gasgas\-wd3463btrq\-uc\.a\.run\.app$/i"; classtype:trojan-activity; sid:4246621; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing HTTP Hostname gasgas-wd3463btrq-uc.a.run.app"; flow:to_server,established; http.header; content: "Host|3a| gasgas-wd3463btrq-uc.a.run.app"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])gasgas\-wd3463btrq\-uc\.a\.run\.app[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246622; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert dns any any -> any any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Hostname haergsd-wd3463btrq-uc.a.run.app"; dns.query; content:"haergsd-wd3463btrq-uc.a.run.app"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])haergsd\-wd3463btrq\-uc\.a\.run\.app$/i"; classtype:trojan-activity; sid:4246631; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing HTTP Hostname haergsd-wd3463btrq-uc.a.run.app"; flow:to_server,established; http.header; content: "Host|3a| haergsd-wd3463btrq-uc.a.run.app"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])haergsd\-wd3463btrq\-uc\.a\.run\.app[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246632; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert dns any any -> any any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Hostname jx-krrdbo6imq-uc.a.run.app"; dns.query; content:"jx-krrdbo6imq-uc.a.run.app"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])jx\-krrdbo6imq\-uc\.a\.run\.app$/i"; classtype:trojan-activity; sid:4246641; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing HTTP Hostname jx-krrdbo6imq-uc.a.run.app"; flow:to_server,established; http.header; content: "Host|3a| jx-krrdbo6imq-uc.a.run.app"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])jx\-krrdbo6imq\-uc\.a\.run\.app[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246642; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert dns any any -> any any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Hostname ptb-wd3463btrq-uc.a.run.app"; dns.query; content:"ptb-wd3463btrq-uc.a.run.app"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ptb\-wd3463btrq\-uc\.a\.run\.app$/i"; classtype:trojan-activity; sid:4246651; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing HTTP Hostname ptb-wd3463btrq-uc.a.run.app"; flow:to_server,established; http.header; content: "Host|3a| ptb-wd3463btrq-uc.a.run.app"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ptb\-wd3463btrq\-uc\.a\.run\.app[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246652; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert dns any any -> any any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Hostname ptm-wd3463btrq-uc.a.run.app"; dns.query; content:"ptm-wd3463btrq-uc.a.run.app"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ptm\-wd3463btrq\-uc\.a\.run\.app$/i"; classtype:trojan-activity; sid:4246661; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing HTTP Hostname ptm-wd3463btrq-uc.a.run.app"; flow:to_server,established; http.header; content: "Host|3a| ptm-wd3463btrq-uc.a.run.app"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ptm\-wd3463btrq\-uc\.a\.run\.app[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246662; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert dns any any -> any any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Hostname pto-wd3463btrq-uc.a.run.app"; dns.query; content:"pto-wd3463btrq-uc.a.run.app"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])pto\-wd3463btrq\-uc\.a\.run\.app$/i"; classtype:trojan-activity; sid:4246671; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing HTTP Hostname pto-wd3463btrq-uc.a.run.app"; flow:to_server,established; http.header; content: "Host|3a| pto-wd3463btrq-uc.a.run.app"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])pto\-wd3463btrq\-uc\.a\.run\.app[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246672; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert dns any any -> any any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Hostname 1.tcp.sa.ngrok.io"; dns.query; content:"1.tcp.sa.ngrok.io"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])1\.tcp\.sa\.ngrok\.io$/i"; classtype:trojan-activity; sid:4246681; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e416 [tlp:white,misp-galaxy:malpedia="Mekotio",misp-galaxy:malpedia="Ousaban",misp-galaxy:mitre-malware="Astaroth - S0373"] Outgoing HTTP Hostname 1.tcp.sa.ngrok.io"; flow:to_server,established; http.header; content: "Host|3a| 1.tcp.sa.ngrok.io"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])1\.tcp\.sa\.ngrok\.io[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246682; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/416;) alert dns any any -> any any (msg: "MISP e417 [tlp:white,misp-galaxy:target-information="Brazil",misp-galaxy:sector="Finance"] Domain atendesolucao.com"; dns.query; content:"atendesolucao.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])atendesolucao\.com$/i"; classtype:trojan-activity; sid:4246741; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/417;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e417 [tlp:white,misp-galaxy:target-information="Brazil",misp-galaxy:sector="Finance"] Outgoing HTTP Domain atendesolucao.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"atendesolucao.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])atendesolucao\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246742; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/417;) alert dns any any -> any any (msg: "MISP e417 [tlp:white,misp-galaxy:target-information="Brazil",misp-galaxy:sector="Finance"] Domain servicoasso.com"; dns.query; content:"servicoasso.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])servicoasso\.com$/i"; classtype:trojan-activity; sid:4246751; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/417;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e417 [tlp:white,misp-galaxy:target-information="Brazil",misp-galaxy:sector="Finance"] Outgoing HTTP Domain servicoasso.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"servicoasso.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])servicoasso\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246752; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/417;) alert dns any any -> any any (msg: "MISP e417 [tlp:white,misp-galaxy:target-information="Brazil",misp-galaxy:sector="Finance"] Domain dowfinanceiro.com"; dns.query; content:"dowfinanceiro.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])dowfinanceiro\.com$/i"; classtype:trojan-activity; sid:4246761; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/417;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e417 [tlp:white,misp-galaxy:target-information="Brazil",misp-galaxy:sector="Finance"] Outgoing HTTP Domain dowfinanceiro.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"dowfinanceiro.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])dowfinanceiro\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246762; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/417;) alert dns any any -> any any (msg: "MISP e417 [tlp:white,misp-galaxy:target-information="Brazil",misp-galaxy:sector="Finance"] Domain centralsolucao.com"; dns.query; content:"centralsolucao.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])centralsolucao\.com$/i"; classtype:trojan-activity; sid:4246771; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/417;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e417 [tlp:white,misp-galaxy:target-information="Brazil",misp-galaxy:sector="Finance"] Outgoing HTTP Domain centralsolucao.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"centralsolucao.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])centralsolucao\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246772; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/417;) alert dns any any -> any any (msg: "MISP e417 [tlp:white,misp-galaxy:target-information="Brazil",misp-galaxy:sector="Finance"] Domain traktinves.com"; dns.query; content:"traktinves.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])traktinves\.com$/i"; classtype:trojan-activity; sid:4246781; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/417;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e417 [tlp:white,misp-galaxy:target-information="Brazil",misp-galaxy:sector="Finance"] Outgoing HTTP Domain traktinves.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"traktinves.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])traktinves\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246782; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/417;) alert dns any any -> any any (msg: "MISP e417 [tlp:white,misp-galaxy:target-information="Brazil",misp-galaxy:sector="Finance"] Domain diadaacaodegraca.com"; dns.query; content:"diadaacaodegraca.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])diadaacaodegraca\.com$/i"; classtype:trojan-activity; sid:4246791; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/417;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e417 [tlp:white,misp-galaxy:target-information="Brazil",misp-galaxy:sector="Finance"] Outgoing HTTP Domain diadaacaodegraca.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"diadaacaodegraca.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])diadaacaodegraca\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246792; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/417;) alert dns any any -> any any (msg: "MISP e417 [tlp:white,misp-galaxy:target-information="Brazil",misp-galaxy:sector="Finance"] Domain segurancasys.com"; dns.query; content:"segurancasys.com"; nocase; pcre: "/(^|[^A-Za-z0-9-])segurancasys\.com$/i"; classtype:trojan-activity; sid:4246801; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/417;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e417 [tlp:white,misp-galaxy:target-information="Brazil",misp-galaxy:sector="Finance"] Outgoing HTTP Domain segurancasys.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"segurancasys.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])segurancasys\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4246802; rev:1; priority:3; reference:url,https://misp.botvrij.eu/events/view/417;) alert ip $HOME_NET any -> 172.114.170.18 55155 (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Outgoing To IP: 172.114.170.18|55155"; classtype:trojan-activity; sid:4247151; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert ip $HOME_NET any -> 194.126.178.8 55555 (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Outgoing To IP: 194.126.178.8|55555"; classtype:trojan-activity; sid:4247161; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert ip $HOME_NET any -> 148.252.42.42 54467 (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Outgoing To IP: 148.252.42.42|54467"; classtype:trojan-activity; sid:4247171; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert ip $HOME_NET any -> 74.124.219.71 any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Outgoing To IP: 74.124.219.71"; classtype:trojan-activity; sid:4247191; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert dns any any -> any any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Hostname webmail.facadesolutionsuae.com"; dns.query; content:"webmail.facadesolutionsuae.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])webmail\.facadesolutionsuae\.com$/i"; classtype:trojan-activity; sid:4247201; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Outgoing HTTP Hostname webmail.facadesolutionsuae.com"; flow:to_server,established; http.header; content: "Host|3a| webmail.facadesolutionsuae.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])webmail\.facadesolutionsuae\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4247202; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert dns any any -> any any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Hostname wody-info-files.firstcloudit.com"; dns.query; content:"wody-info-files.firstcloudit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])wody\-info\-files\.firstcloudit\.com$/i"; classtype:trojan-activity; sid:4247211; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Outgoing HTTP Hostname wody-info-files.firstcloudit.com"; flow:to_server,established; http.header; content: "Host|3a| wody-info-files.firstcloudit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])wody\-info\-files\.firstcloudit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4247212; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert dns any any -> any any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Hostname kzgw-wody.firstcloudit.com"; dns.query; content:"kzgw-wody.firstcloudit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])kzgw\-wody\.firstcloudit\.com$/i"; classtype:trojan-activity; sid:4247221; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Outgoing HTTP Hostname kzgw-wody.firstcloudit.com"; flow:to_server,established; http.header; content: "Host|3a| kzgw-wody.firstcloudit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])kzgw\-wody\.firstcloudit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4247222; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert dns any any -> any any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Hostname nas-files.firstcloudit.com"; dns.query; content:"nas-files.firstcloudit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])nas\-files\.firstcloudit\.com$/i"; classtype:trojan-activity; sid:4247231; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Outgoing HTTP Hostname nas-files.firstcloudit.com"; flow:to_server,established; http.header; content: "Host|3a| nas-files.firstcloudit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])nas\-files\.firstcloudit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4247232; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert dns any any -> any any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Hostname e-nas.firstcloudit.com"; dns.query; content:"e-nas.firstcloudit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])e\-nas\.firstcloudit\.com$/i"; classtype:trojan-activity; sid:4247241; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Outgoing HTTP Hostname e-nas.firstcloudit.com"; flow:to_server,established; http.header; content: "Host|3a| e-nas.firstcloudit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])e\-nas\.firstcloudit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4247242; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert dns any any -> any any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Hostname ua-calendar.firstcloudit.com"; dns.query; content:"ua-calendar.firstcloudit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ua\-calendar\.firstcloudit\.com$/i"; classtype:trojan-activity; sid:4247251; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Outgoing HTTP Hostname ua-calendar.firstcloudit.com"; flow:to_server,established; http.header; content: "Host|3a| ua-calendar.firstcloudit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])ua\-calendar\.firstcloudit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4247252; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert dns any any -> any any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Hostname calendarua.firstcloudit.com"; dns.query; content:"calendarua.firstcloudit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])calendarua\.firstcloudit\.com$/i"; classtype:trojan-activity; sid:4247261; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Outgoing HTTP Hostname calendarua.firstcloudit.com"; flow:to_server,established; http.header; content: "Host|3a| calendarua.firstcloudit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])calendarua\.firstcloudit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4247262; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert dns any any -> any any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Hostname calendar-ua.firstcloudit.com"; dns.query; content:"calendar-ua.firstcloudit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])calendar\-ua\.firstcloudit\.com$/i"; classtype:trojan-activity; sid:4247271; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Outgoing HTTP Hostname calendar-ua.firstcloudit.com"; flow:to_server,established; http.header; content: "Host|3a| calendar-ua.firstcloudit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])calendar\-ua\.firstcloudit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4247272; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert dns any any -> any any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Hostname e-gov-am.firstcloudit.com"; dns.query; content:"e-gov-am.firstcloudit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])e\-gov\-am\.firstcloudit\.com$/i"; classtype:trojan-activity; sid:4247281; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Outgoing HTTP Hostname e-gov-am.firstcloudit.com"; flow:to_server,established; http.header; content: "Host|3a| e-gov-am.firstcloudit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])e\-gov\-am\.firstcloudit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4247282; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert dns any any -> any any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Hostname e-gov.firstcloudit.com"; dns.query; content:"e-gov.firstcloudit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])e\-gov\.firstcloudit\.com$/i"; classtype:trojan-activity; sid:4247291; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Outgoing HTTP Hostname e-gov.firstcloudit.com"; flow:to_server,established; http.header; content: "Host|3a| e-gov.firstcloudit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])e\-gov\.firstcloudit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4247292; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert dns any any -> any any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Hostname info-mod.firstcloudit.com"; dns.query; content:"info-mod.firstcloudit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])info\-mod\.firstcloudit\.com$/i"; classtype:trojan-activity; sid:4247301; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Outgoing HTTP Hostname info-mod.firstcloudit.com"; flow:to_server,established; http.header; content: "Host|3a| info-mod.firstcloudit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])info\-mod\.firstcloudit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4247302; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert dns any any -> any any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Hostname e-mod.firstcloudit.com"; dns.query; content:"e-mod.firstcloudit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])e\-mod\.firstcloudit\.com$/i"; classtype:trojan-activity; sid:4247311; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Outgoing HTTP Hostname e-mod.firstcloudit.com"; flow:to_server,established; http.header; content: "Host|3a| e-mod.firstcloudit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])e\-mod\.firstcloudit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4247312; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert dns any any -> any any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Hostname rada-zakon.firstcloudit.com"; dns.query; content:"rada-zakon.firstcloudit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])rada\-zakon\.firstcloudit\.com$/i"; classtype:trojan-activity; sid:4247321; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Outgoing HTTP Hostname rada-zakon.firstcloudit.com"; flow:to_server,established; http.header; content: "Host|3a| rada-zakon.firstcloudit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])rada\-zakon\.firstcloudit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4247322; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert dns any any -> any any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Hostname militarysupport.firstcloudit.com"; dns.query; content:"militarysupport.firstcloudit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])militarysupport\.firstcloudit\.com$/i"; classtype:trojan-activity; sid:4247331; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Outgoing HTTP Hostname militarysupport.firstcloudit.com"; flow:to_server,established; http.header; content: "Host|3a| militarysupport.firstcloudit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])militarysupport\.firstcloudit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4247332; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert dns any any -> any any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Hostname sgg-files.firstcloudit.com"; dns.query; content:"sgg-files.firstcloudit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sgg\-files\.firstcloudit\.com$/i"; classtype:trojan-activity; sid:4247341; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Outgoing HTTP Hostname sgg-files.firstcloudit.com"; flow:to_server,established; http.header; content: "Host|3a| sgg-files.firstcloudit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sgg\-files\.firstcloudit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4247342; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert dns any any -> any any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Hostname sgg-gov.firstcloudit.com"; dns.query; content:"sgg-gov.firstcloudit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sgg\-gov\.firstcloudit\.com$/i"; classtype:trojan-activity; sid:4247351; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Outgoing HTTP Hostname sgg-gov.firstcloudit.com"; flow:to_server,established; http.header; content: "Host|3a| sgg-gov.firstcloudit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])sgg\-gov\.firstcloudit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4247352; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert dns any any -> any any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Hostname presidencia-docs.firstcloudit.com"; dns.query; content:"presidencia-docs.firstcloudit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])presidencia\-docs\.firstcloudit\.com$/i"; classtype:trojan-activity; sid:4247361; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Outgoing HTTP Hostname presidencia-docs.firstcloudit.com"; flow:to_server,established; http.header; content: "Host|3a| presidencia-docs.firstcloudit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])presidencia\-docs\.firstcloudit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4247362; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert dns any any -> any any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Hostname files-presidencia.firstcloudit.com"; dns.query; content:"files-presidencia.firstcloudit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])files\-presidencia\.firstcloudit\.com$/i"; classtype:trojan-activity; sid:4247371; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Outgoing HTTP Hostname files-presidencia.firstcloudit.com"; flow:to_server,established; http.header; content: "Host|3a| files-presidencia.firstcloudit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])files\-presidencia\.firstcloudit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4247372; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert dns any any -> any any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Hostname e-presidencia.firstcloudit.com"; dns.query; content:"e-presidencia.firstcloudit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])e\-presidencia\.firstcloudit\.com$/i"; classtype:trojan-activity; sid:4247381; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Outgoing HTTP Hostname e-presidencia.firstcloudit.com"; flow:to_server,established; http.header; content: "Host|3a| e-presidencia.firstcloudit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])e\-presidencia\.firstcloudit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4247382; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert dns any any -> any any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Hostname presidencia-files.firstcloudit.com"; dns.query; content:"presidencia-files.firstcloudit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])presidencia\-files\.firstcloudit\.com$/i"; classtype:trojan-activity; sid:4247391; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Outgoing HTTP Hostname presidencia-files.firstcloudit.com"; flow:to_server,established; http.header; content: "Host|3a| presidencia-files.firstcloudit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])presidencia\-files\.firstcloudit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4247392; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert dns any any -> any any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Hostname presidencia-gov.firstcloudit.com"; dns.query; content:"presidencia-gov.firstcloudit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])presidencia\-gov\.firstcloudit\.com$/i"; classtype:trojan-activity; sid:4247401; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Outgoing HTTP Hostname presidencia-gov.firstcloudit.com"; flow:to_server,established; http.header; content: "Host|3a| presidencia-gov.firstcloudit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])presidencia\-gov\.firstcloudit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4247402; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert dns any any -> any any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Hostname presidencia-gob.firstcloudit.com"; dns.query; content:"presidencia-gob.firstcloudit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])presidencia\-gob\.firstcloudit\.com$/i"; classtype:trojan-activity; sid:4247411; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Outgoing HTTP Hostname presidencia-gob.firstcloudit.com"; flow:to_server,established; http.header; content: "Host|3a| presidencia-gob.firstcloudit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])presidencia\-gob\.firstcloudit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4247412; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert dns any any -> any any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Hostname gcsd.firstcloudit.com"; dns.query; content:"gcsd.firstcloudit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])gcsd\.firstcloudit\.com$/i"; classtype:trojan-activity; sid:4247421; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Outgoing HTTP Hostname gcsd.firstcloudit.com"; flow:to_server,established; http.header; content: "Host|3a| gcsd.firstcloudit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])gcsd\.firstcloudit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4247422; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert dns any any -> any any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Hostname emod.firstcloudit.com"; dns.query; content:"emod.firstcloudit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])emod\.firstcloudit\.com$/i"; classtype:trojan-activity; sid:4247431; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Outgoing HTTP Hostname emod.firstcloudit.com"; flow:to_server,established; http.header; content: "Host|3a| emod.firstcloudit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])emod\.firstcloudit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4247432; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert dns any any -> any any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Hostname e-military.firstcloudit.com"; dns.query; content:"e-military.firstcloudit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])e\-military\.firstcloudit\.com$/i"; classtype:trojan-activity; sid:4247441; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Outgoing HTTP Hostname e-military.firstcloudit.com"; flow:to_server,established; http.header; content: "Host|3a| e-military.firstcloudit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])e\-military\.firstcloudit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4247442; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert dns any any -> any any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Hostname dls-gov.firstcloudit.com"; dns.query; content:"dls-gov.firstcloudit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dls\-gov\.firstcloudit\.com$/i"; classtype:trojan-activity; sid:4247451; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Outgoing HTTP Hostname dls-gov.firstcloudit.com"; flow:to_server,established; http.header; content: "Host|3a| dls-gov.firstcloudit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])dls\-gov\.firstcloudit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4247452; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert dns any any -> any any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Hostname eecommission.firstcloudit.com"; dns.query; content:"eecommission.firstcloudit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])eecommission\.firstcloudit\.com$/i"; classtype:trojan-activity; sid:4247461; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Outgoing HTTP Hostname eecommission.firstcloudit.com"; flow:to_server,established; http.header; content: "Host|3a| eecommission.firstcloudit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])eecommission\.firstcloudit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4247462; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert dns any any -> any any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Hostname eecommission-drive.firstcloudit.com"; dns.query; content:"eecommission-drive.firstcloudit.com"; nocase; pcre: "/(^|[^A-Za-z0-9-\.])eecommission\-drive\.firstcloudit\.com$/i"; classtype:trojan-activity; sid:4247471; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e418 [misp-galaxy:threat-actor="APT28",misp-galaxy:mitre-intrusion-set="APT28 - G0007",tlp:white] Outgoing HTTP Hostname eecommission-drive.firstcloudit.com"; flow:to_server,established; http.header; content: "Host|3a| eecommission-drive.firstcloudit.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-\.])eecommission\-drive\.firstcloudit\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:4247472; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/418;) alert ip $HOME_NET any -> 37.139.129.145 any (msg: "MISP e420 [tlp:white] Outgoing To IP: 37.139.129.145"; classtype:trojan-activity; sid:4247581; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/420;) alert ip $HOME_NET any -> 195.10.205.23 any (msg: "MISP e420 [tlp:white] Outgoing To IP: 195.10.205.23"; classtype:trojan-activity; sid:4247591; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/420;) alert ip $HOME_NET any -> 172.105.124.34 any (msg: "MISP e420 [tlp:white] Outgoing To IP: 172.105.124.34"; classtype:trojan-activity; sid:4247601; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/420;) alert ip $HOME_NET any -> 134.122.197.80 any (msg: "MISP e420 [tlp:white] Outgoing To IP: 134.122.197.80"; classtype:trojan-activity; sid:4247611; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/420;) alert ip $HOME_NET any -> 91.92.254.31 any (msg: "MISP e420 [tlp:white] Outgoing To IP: 91.92.254.31"; classtype:trojan-activity; sid:4247621; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/420;) alert ip $HOME_NET any -> 91.92.247.212 any (msg: "MISP e420 [tlp:white] Outgoing To IP: 91.92.247.212"; classtype:trojan-activity; sid:4247631; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/420;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e420 [tlp:white] Outgoing URL http|3a|//ads.hostloads.xyz/BAGUvIxJu32I0/gate.php"; flow:to_server,established; http.header; content:"ads.hostloads.xyz"; fast_pattern; nocase; http.uri; content:"/BAGUvIxJu32I0/gate.php"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:4247641; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/420;) alert ip $HOME_NET any -> 185.241.208.83 any (msg: "MISP e420 [tlp:white] Outgoing To IP: 185.241.208.83"; classtype:trojan-activity; sid:4247811; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/420;) alert ip $HOME_NET any -> 185.241.208.104 any (msg: "MISP e420 [tlp:white] Outgoing To IP: 185.241.208.104"; classtype:trojan-activity; sid:4247821; rev:1; priority:2; reference:url,https://misp.botvrij.eu/events/view/420;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e421 [misp-galaxy:mitre-intrusion-set="APT29 - G0016",misp-galaxy:target-information="Germany",misp-galaxy:sector="Political party",misp-galaxy:country="russia",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Thread Execution Hijacking - T1055.003",misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003",misp-galaxy:mitre-attack-pattern="Query Registry - T1012",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",tlp:white] Outgoing URL https|3a|//waterforvoiceless.org/invite.php"; tls.sni; content:"waterforvoiceless.org"; tag:session,600,seconds; classtype:trojan-activity; sid:4247851; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/421;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e421 [misp-galaxy:mitre-intrusion-set="APT29 - G0016",misp-galaxy:target-information="Germany",misp-galaxy:sector="Political party",misp-galaxy:country="russia",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Thread Execution Hijacking - T1055.003",misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003",misp-galaxy:mitre-attack-pattern="Query Registry - T1012",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",tlp:white] Outgoing URL https|3a|//siestakeying.com/auth.php"; tls.sni; content:"siestakeying.com"; tag:session,600,seconds; classtype:trojan-activity; sid:4248221; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/421;) alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg: "MISP e421 [misp-galaxy:mitre-intrusion-set="APT29 - G0016",misp-galaxy:target-information="Germany",misp-galaxy:sector="Political party",misp-galaxy:country="russia",misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027",misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083",misp-galaxy:mitre-attack-pattern="Thread Execution Hijacking - T1055.003",misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007",misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082",misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134",misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004",misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003",misp-galaxy:mitre-attack-pattern="Query Registry - T1012",misp-galaxy:mitre-attack-pattern="Process Discovery - T1057",tlp:white] Outgoing URL https|3a|//waterforvoiceless.org/invite.php"; tls.sni; content:"waterforvoiceless.org"; tag:session,600,seconds; classtype:trojan-activity; sid:4247861; rev:1; priority:1; reference:url,https://misp.botvrij.eu/events/view/421;)